I was tasked with configuring VSFTPD to allow SFTP or FTPES (FTP over explicit TLS/SSL) tonight for a client. The configuration already had regular FTP working which I verified using FileZilla as an FTP client. I was able to login and transfer files in both directions to and from the server. Next I verified that SFTP worked without issue and I was able to also transfer files in both directions using SFTP. For FTPES I had to make some changes and once I did make the changes I was still getting an error when attempting to do a directory listing using FileZilla. Below I describe the initial changes I made to vsftpd.conf, the errors I received attempting to connect with FTPES, and the way I resolved the problem.

Configure VSFTPD For FTPES or File Transfer Protocol With Explicit TLS/SSL:

First generate an SSL certificate to use with the FTP server by issuing the below line from the Linux server CLI.

Generate SSL Certificate For VSFTPD Server:

openssl req -x509 -nodes -days 365 -newkey rsa:1024  -keyout /etc/vsftpd/vsftpd.pem  -out /etc/vsftpd/vsftpd.pem

You will be required to fill in the typical SSL certificate information such as Country, State, City, company, department, and email address. Once the SSL certificate has been completed add the below configuration lines to the /etc/vsftpd/vsftpd.conf file using your favorite file editor such as vi.

Modify vsftpd.conf To Allow FTPES Connections/Transfers:

# FTPES Conf Additions
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem

You can modify force_local_logins_ssl and force_local_data_ssl both to YES depending on if you want to allow regular FTP connections or not. After saving the changes you will need to restart vsftpd using syntax similar to the below.

Restart vsftpd For FTPES Changes To Take Effect:

[root@dev vsftpd]# /etc/init.d/vsftpd restart
Shutting down vsftpd: [  OK  ]
Starting vsftpd for vsftpd: [  OK  ]

After making all of the proper configuration changes this is where I ran into my first issue. When attempting to connect to the server using FTP with explicit TLS/SSL I received an error attempting to do a directory listing. I was able to connect but then the connection would drop. Below is part of the error as seen from FileZilla upon trying to connect to the vsftpd server using FTPES.

FileZilla Error Connecting To vsftpd Server Using FTPES:

Response:	150 Here comes the directory listing.
Error:	GnuTLS error -9: A TLS packet with unexpected length was received.
Status:	Server did not properly shut down TLS connection
Error:	Could not read from transfer socket: ECONNABORTED - Connection aborted
Response:	226 Directory send OK.
Error:	Failed to retrieve directory listing

Luckily the first thing I thought to do was check that VSFTPD was the latest and greatest version. The version I was running was vsftpd version 2.0.5-12 and I noticed via yum that vsftpd version 2.0.5-16 was available. Since it is always easy to upgrade packages like this via yum I decided to give this a shot first. Below I show how to verify you are running the latest vsftpd version available from your yum repositories and if not how to upgrade to the latest version.

Verify vsftpd Is The Latest Version Using Yum:

[root@dev vsftpd]# yum list *VSFTP*
Loading "installonlyn" plugin
Setting up repositories
base                      100% |=========================| 2.1 kB    00:00
updates                   100% |=========================| 1.9 kB    00:00
addons                    100% |=========================|  951 B    00:00
extras                    100% |=========================| 1.1 kB    00:00
Reading repository metadata in from local files
Installed Packages
vsftpd.x86_64                            2.0.5-12.el5           installed
Available Packages
vsftpd.x86_64                            2.0.5-16.el5_4.1       updates

Upgrade vsftpd Using Yum On CentOS Linux:


[root@dev vsftpd]# yum install vsftpd
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for vsftpd to pack into transaction set.
vsftpd-2.0.5-16.el5_4.1.x 100% |=========================|  18 kB    00:00
---> Package vsftpd.x86_64 0:2.0.5-16.el5_4.1 set to be updated
--> Running transaction check

Dependencies Resolved

=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Updating:
 vsftpd                  x86_64     2.0.5-16.el5_4.1  updates           139 k

Transaction Summary
=============================================================================
Install      0 Package(s)
Update       1 Package(s)
Remove       0 Package(s)

Total download size: 139 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): vsftpd-2.0.5-16.el 100% |=========================| 139 kB    00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating  : vsftpd                                                 [1/2]warning: /etc/vsftpd/vsftpd.conf created as /etc/vsftpd/vsftpd.conf.rpmnew
  Updating  : vsftpd                       ######################### [1/2]
  Cleanup   : vsftpd                       ######################### [2/2]

Updated: vsftpd.x86_64 0:2.0.5-16.el5_4.1
Complete!

After upgrading vsftpd I restarted the ftp server again using the command displayed above and attempted to connect again with FileZilla. Sure enough things worked without issue this time. It always pays to run the latest and greatest software to make sure you have all of the latest bug fixes and security patches.

Linux Server Security (Paperback)

By (author): Michael D. Bauer


List Price: $44.95 USD
New From: $7.97 USD In Stock
Used from: $0.79 USD In Stock


List Price: $39.99 USD
New From: $20.94 USD In Stock
Used from: $0.54 USD In Stock

DeliciousStumbleUponDiggTwitterFacebookRedditLinkedInEmail
Tags: , , , , , , , , , , , , , , , , ,
5 Responses to “VSFTPD Error: GnuTLS error -9: A TLS packet with unexpected length was received.”
  1. Hassan says:

    Hi!
    I just install vsftpd and it is the latest version but I am still getting the error:
    In CuteFTP:
    COMMAND:> PASV
    227 Entering Passive Mode (206,217,197,207,233,78)
    COMMAND:> LIST
    STATUS:> Connecting FTP data socket… 206.217.197.207:59726…
    ERROR:> Can’t connect to remote server. Socket error = #10065.
    ERROR:> PASV failed, trying PORT.

    In Filezilla:
    Command: PASV
    Response: 227 Entering Passive Mode (206,217,197,207,157,250)
    Command: LIST
    Error: Connection timed out
    Error: Failed to retrieve directory listing

    Any solution for this?

    [Reply]

    alex Reply:

    Hello Hassan,

    Since your VSFTPD question and/or VSFTPD error is not specifically related to the VSFTPD error in the article that is posted here I would suggest moving this question to the Engage section of Question Defense. This is a section of our site that allows end users to ask and answer questions. So while your question may be answered here it is much more likely that you will get a response if posting on this portion of Question Defense. If you move the VSFTPD question and error to Engage then we will take a closer look as well and see if we can provide a response for you.

    Thanks.
    alex

    [Reply]

  2. Vidal says:

    great post
    newbie question if at all possible to reply
    How do you call the edition/modification of vsftpd.conf in command line(using PuTTy)

    I tried to initiate it with

    /etc/vsftpd/vsftpd.conf (but permission was denied though am on vps)

    Thanks in advance

    [Reply]

    alex Reply:

    Hello Vidal,

    I am not sure what you mean by call the edition/modification of VSFTPD. Are you asking how you can make changes to the VSFTPD configuration file on the server? If so you are attempting to modify the proper file and would need the proper permissions to do so. Did you try “sudo su -” after you have logged in?

    Thanks.
    alex

    [Reply]

  3.  
Leave a Reply

*Type the letter/number combination in the abvoe field before clicking submit.

*