VSFTPD Error: GnuTLS error -9: A TLS packet with unexpected length was received.
I was tasked with configuring VSFTPD to allow SFTP or FTPES (FTP over explicit TLS/SSL) tonight for a client. The configuration already had regular FTP working which I verified using FileZilla as an FTP client. I was able to login and transfer files in both directions to and from the server. Next I verified that SFTP worked without issue and I was able to also transfer files in both directions using SFTP. For FTPES I had to make some changes and once I did make the changes I was still getting an error when attempting to do a directory listing using FileZilla. Below I describe the initial changes I made to vsftpd.conf, the errors I received attempting to connect with FTPES, and the way I resolved the problem.
Configure VSFTPD For FTPES or File Transfer Protocol With Explicit TLS/SSL:
First generate an SSL certificate to use with the FTP server by issuing the below line from the Linux server CLI.
Generate SSL Certificate For VSFTPD Server:
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
You will be required to fill in the typical SSL certificate information such as Country, State, City, company, department, and email address. Once the SSL certificate has been completed add the below configuration lines to the /etc/vsftpd/vsftpd.conf file using your favorite file editor such as vi.
Modify vsftpd.conf To Allow FTPES Connections/Transfers:
# FTPES Conf Additions ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=NO force_local_logins_ssl=NO ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/vsftpd/vsftpd.pem
You can modify force_local_logins_ssl and force_local_data_ssl both to YES depending on if you want to allow regular FTP connections or not. After saving the changes you will need to restart vsftpd using syntax similar to the below.
Restart vsftpd For FTPES Changes To Take Effect:
[root@dev vsftpd]# /etc/init.d/vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ]
After making all of the proper configuration changes this is where I ran into my first issue. When attempting to connect to the server using FTP with explicit TLS/SSL I received an error attempting to do a directory listing. I was able to connect but then the connection would drop. Below is part of the error as seen from FileZilla upon trying to connect to the vsftpd server using FTPES.
FileZilla Error Connecting To vsftpd Server Using FTPES:
Response: 150 Here comes the directory listing. Error: GnuTLS error -9: A TLS packet with unexpected length was received. Status: Server did not properly shut down TLS connection Error: Could not read from transfer socket: ECONNABORTED - Connection aborted Response: 226 Directory send OK. Error: Failed to retrieve directory listing
Luckily the first thing I thought to do was check that VSFTPD was the latest and greatest version. The version I was running was vsftpd version 2.0.5-12 and I noticed via yum that vsftpd version 2.0.5-16 was available. Since it is always easy to upgrade packages like this via yum I decided to give this a shot first. Below I show how to verify you are running the latest vsftpd version available from your yum repositories and if not how to upgrade to the latest version.
Verify vsftpd Is The Latest Version Using Yum:
[root@dev vsftpd]# yum list *VSFTP* Loading "installonlyn" plugin Setting up repositories base 100% |=========================| 2.1 kB 00:00 updates 100% |=========================| 1.9 kB 00:00 addons 100% |=========================| 951 B 00:00 extras 100% |=========================| 1.1 kB 00:00 Reading repository metadata in from local files Installed Packages vsftpd.x86_64 2.0.5-12.el5 installed Available Packages vsftpd.x86_64 2.0.5-16.el5_4.1 updates
Upgrade vsftpd Using Yum On CentOS Linux:
[root@dev vsftpd]# yum install vsftpd Loading "installonlyn" plugin Setting up Install Process Setting up repositories Reading repository metadata in from local files Parsing package install arguments Resolving Dependencies --> Populating transaction set with selected packages. Please wait. ---> Downloading header for vsftpd to pack into transaction set. vsftpd-2.0.5-16.el5_4.1.x 100% |=========================| 18 kB 00:00 ---> Package vsftpd.x86_64 0:2.0.5-16.el5_4.1 set to be updated --> Running transaction check Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Updating: vsftpd x86_64 2.0.5-16.el5_4.1 updates 139 k Transaction Summary ============================================================================= Install 0 Package(s) Update 1 Package(s) Remove 0 Package(s) Total download size: 139 k Is this ok [y/N]: y Downloading Packages: (1/1): vsftpd-2.0.5-16.el 100% |=========================| 139 kB 00:00 Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : vsftpd [1/2]warning: /etc/vsftpd/vsftpd.conf created as /etc/vsftpd/vsftpd.conf.rpmnew Updating : vsftpd ######################### [1/2] Cleanup : vsftpd ######################### [2/2] Updated: vsftpd.x86_64 0:2.0.5-16.el5_4.1 Complete!
After upgrading vsftpd I restarted the ftp server again using the command displayed above and attempted to connect again with FileZilla. Sure enough things worked without issue this time. It always pays to run the latest and greatest software to make sure you have all of the latest bug fixes and security patches.