Configure VSFTPD with an SSL

Reading Time: 2 minutes

How can I configure VSFTPD to support SSL encrypted connections?

In this article we will be discussing how to configure vsftpd to work with SSL encryption. If you do not have vsftpd installed yet you may wish to visit one of these articles before proceeding. How to install VSFTPD on CentOS 7 How to install VSFTPD on CentOS 6 How to install VSFTPD on Fedora 23 How to install VSFTPD on Ubuntu 15.04 How to Install VSFTPD on Ubuntu 16.04 Ready? Awesome, let’s get started.
  1. Prepare a place for the SSL key to live: mkdir /etc/ssl/private
  2. For this example we’ll use a self-signed SSL: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.key -out /etc/ssl/certs/vsftpd.crt
    If you have purchased an SSL you can put the key in /etc/ssl/private/vsftpd.key and the certificate in /etc/ssl/certs/vsftpd.crt.
  3. Next, configure vsftpd to make use of that certificate. vim /etc/vsftpd/vsftpd.conf
  4. Add the below configurations at the bottom of /etc/vsftpd/vstpd.conf. ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1_1=YES ssl_tlsv1_2=YES ssl_tlsv1=NO ssl_sslv2=NO ssl_sslv3=NO require_ssl_reuse=YES ssl_ciphers=HIGH rsa_cert_file=/etc/ssl/certs/vsftpd.crt rsa_private_key_file=/etc/ssl/private/vsftpd.key
  5. To exit type “:wq” and that will save the file and quit the program.

SSL Settings

Now let’s go through those settings and see what they do.
  • This option enables our SSL support for vsftpd. ssl_enable=yes
  • Prevent anonymous SSL/TLS encrypted login, in essence, the guest user. allow_anon_ssl=NO
  • We’re going to force SSL/TLS encryption of both your username/password and your data to keep it safe. force_local_data_ssl=YES force_local_logins_ssl=YES Use the stronger, better, encryption offered by TLS 1.1 and 1.2. ssl_tlsv1_1=YES ssl_tlsv1_2=YES
  • TLS 1.0 is getting a little more insecure than we would like, so we are going to disable it. Please note that some older FTP clients are not compatible with newer TLS versions and may require this option to be set to “YES”. ssl_tlsv1=NO
  • To keep the FTP connections safe against the BEAST and POODLE vulnerabilities we are going to disable SSLv2 and SSLv3. ssl_sslv2=NO ssl_sslv3=NO
  • Continuing our security improvements we are going to add some additional protection against Man In The Middle (MITM) attacks by enabling the following. This may not be compatible with some older FTP clients. If you experience connection loss try setting this option to “NO”. require_ssl_reuse=YES
  • This will require the server to use stronger cipher suites. ssl_ciphers=HIGH
  • Lastly, our crt and key file. rsa_cert_file=/etc/ssl/certs/vsftpd.crt rsa_private_key_file=/etc/ssl/private/vsftpd.key

The Final Step

  1. Now that we have all of that added to the configuration file we should be able to restart vsftpd and start uploading. systemctl restart vsftpd
  2. If you are working with CentOS 6 or a system that doesn’t support systemd you should be able to restart vsftpd with the below. service restart vsftpd


If you have errors similar to one of the below two errors check out this article. 500 OOPS: vsftpd: refusing to run with writable root inside chroot() GnuTLS error -15: An unexpected TLS packet was received. SSL encryption is one of the leading forms of protecting your data in transit to your server. Now you can rest easy that you have taken yet another step in providing a secure resource to yourself and your users.
Refer a friend and get hosting credit!