sslfilezillavsftpd

filezilla can't connect to vsftpd with TLS, but does work with unencrypted connection


I set up my server on centos7

From client side(not localhost), I can connect and transfer files to server with unencrypted connection but can't connect with TLS

It's my vsftpd.conf:

listen=YES
listen_ipv6=NO

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

rsa_cert_file=/home/user/server/sync.crt
rsa_private_key_file=/home/user/server/sync.key

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

require_ssl_reuse=NO
ssl_ciphers=HIGH

pasv_enable=YES
pasv_min_port=50000
pasv_max_port=60000
pasv_address=1.1.1.1

and filezilla's errorcode:

Connection attempt failed with "ETIMEDOUT - Connection attempt timed out".
425 Failed to establish connection.

How do I solve this problem?


Solution

  • This kind of error typically happens when a data connection cannot be created to transfer files or directory listings. Such data connections are done using dynamic ports, where in case of PASV the port to use is announced by the server within the response to the PASV command.

    Firewalls often employ helpers to scan the traffic and look for such responses announcing which port the client should use - and then temporarily allowing such access. In case of plain FTP without encryption the firewall can see the response and determine the port to open - then it works. But, in case of FTPS the control connection is encrypted and therefore the firewall only sees encrypted communication and cannot determine the port to open - then it fails.