Configure VSFTPD with an SSL

Posted on by Helpful Humans of Liquid Web
Category: Technical Support | Tags: SSL, VsFTPd
Reading Time: 2 minutes

How can I configure VSFTPD to support SSL encrypted connections?

In this article we will be discussing how to configure vsftpd to work with SSL encryption. If you do not have vsftpd installed yet you may wish to visit one of these articles before proceeding.

How to install VSFTPD on CentOS 7

How to install VSFTPD on CentOS 6

How to install VSFTPD on Fedora 23

How to install VSFTPD on Ubuntu 15.04

How to Install VSFTPD on Ubuntu 16.04

Ready? Awesome, let’s get started.

  1. Prepare a place for the SSL key to live:
    mkdir /etc/ssl/private
  2. For this example we’ll use a self-signed SSL:
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.key -out /etc/ssl/certs/vsftpd.crt

    If you have purchased an SSL you can put the key in /etc/ssl/private/vsftpd.key and the certificate in /etc/ssl/certs/vsftpd.crt.
  3. Next, configure vsftpd to make use of that certificate.
    vim /etc/vsftpd/vsftpd.conf
  4. Add the below configurations at the bottom of /etc/vsftpd/vstpd.conf.
  5. To exit type “:wq” and that will save the file and quit the program.

SSL Settings

Now let’s go through those settings and see what they do.

  • This option enables our SSL support for vsftpd.
  • Prevent anonymous SSL/TLS encrypted login, in essence, the guest user.
  • We’re going to force SSL/TLS encryption of both your username/password and your data to keep it safe.
    Use the stronger, better, encryption offered by TLS 1.1 and 1.2.
  • TLS 1.0 is getting a little more insecure than we would like, so we are going to disable it. Please note that some older FTP clients are not compatible with newer TLS versions and may require this option to be set to “YES”.
  • To keep the FTP connections safe against the BEAST and POODLE vulnerabilities we are going to disable SSLv2 and SSLv3.
  • Continuing our security improvements we are going to add some additional protection against Man In The Middle (MITM) attacks by enabling the following. This may not be compatible with some older FTP clients. If you experience connection loss try setting this option to “NO”.
  • This will require the server to use stronger cipher suites.
  • Lastly, our crt and key file.

The Final Step

  1. Now that we have all of that added to the configuration file we should be able to restart vsftpd and start uploading.
    systemctl restart vsftpd
  2. If you are working with CentOS 6 or a system that doesn’t support systemd you should be able to restart vsftpd with the below.
    service restart vsftpd


If you have errors similar to one of the below two errors check out this article.
500 OOPS: vsftpd: refusing to run with writable root inside chroot()

GnuTLS error -15: An unexpected TLS packet was received.

SSL encryption is one of the leading forms of protecting your data in transit to your server. Now you can rest easy that you have taken yet another step in providing a secure resource to yourself and your users.

Avatar for Helpful Humans of Liquid Web

About the Author: Helpful Humans of Liquid Web

Latest Articles

How to Use React Spring

Read Article

Accessing Man Pages on Ubuntu 16.04 LTS

Read Article

TLS vs SSL: A Comparison

Read Article

Premium Business Email Pricing FAQ

Read Article

Microsoft Exchange Server Security Update

Read Article