1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

vsftpd with ssl_enable=true not starting

Discussion in 'Tomato Firmware' started by Iridescens, Nov 14, 2013.

  1. Iridescens

    Iridescens Reformed Router Member

    Hi, everyone!

    I have installed the latest Tomato Firmware v1.28.7503.2 MIPSR2Toastman-RT K26 USB VPN on Netgear WNR3500L, and it all went OK except secured vsftpd config. Having set ssl_enable=true prevents the vsftpd process from even starting. "ps | grep ftp" on System gives nothing, and connect to enabled port returns "ECONNREFUSED - Connection refused by server". My previous build was 7500 and ssl vsftpd worked flawlessly.
    For those concerned:

    pasv_enable=YES
    pasv_addr_resolve=NO
    pasv_address=<>
    port_enable=YES
    #pasv_promiscuous=YES
    pasv_min_port=<>
    pasv_max_port=<>
    force_local_data_ssl=YES
    force_local_logins_ssl=YES
    ssl_ciphers=HIGH
    rsa_cert_file=/tmp/etc/cert.pem
    rsa_private_key_file=/tmp/etc/key.pem
    ssl_enable=yes
    require_ssl_reuse=YES
    allow_anon_ssl=NO
    ssl_tlsv1=YES
    ssl_sslv2=NO
    ssl_sslv3=YES

    And iptables in Firewall scripts configured accordingly.

    If ssl_enable=false it goes OK, but that's not good at all.

    Internet says that vsftpd might be compiled without SSL libraries, but I do hope it is wrong. Please help!
     
  2. Iridescens

    Iridescens Reformed Router Member

    Hi again!
    Can anyone at least confirm same behaviour on Tomato v1.28.7503.2 MIPSR2Toastman-RT K26 USB VPN?
     
  3. koitsu

    koitsu Network Guru Member

    Isn't vsftpd is a third-party FTP server program (i.e. doesn't come with Tomato), meaning you've installed Optware or Entware? So which are you using?

    If Optware, scrap it and replace entirely with Entware (make sure to delete all files in /opt, as there are many which Optware leaves around hidden, such as some dotfiles, which have caused problems for people switching in the past). Entware has a vsftpd package called vsftpd-ext.

    Code:
    root@gw:/tmp/home/root# opkg info vsftpd-ext
    Package: vsftpd-ext
    Version: 3.0.2-1
    Depends: libc
    Provides:
    Status: unknown ok not-installed
    Section: net
    Architecture: entware
    Maintainer: Entware team, wl500g-repo.googlecode.com
    MD5Sum: 966a6e691484ad5d1be5ee7df376f79b
    Size: 65521
    Filename: vsftpd-ext_3.0.2-1_entware.ipk
    Source: RL: http://vsftpd.devnet.ru/files/3.0.2
    Description: A fast and secure FTP server
    
    root@gw:/tmp/home/root# ldd /opt/sbin/vsftpd
      libcrypt.so.0 => /opt/lib/libcrypt.so.0 (0x2aac0000)
      libgcc_s.so.1 => /opt/lib/libgcc_s.so.1 (0x2aae4000)
      libc.so.0 => /opt/lib/libc.so.0 (0x2ab05000)
      ld-uClibc.so.0 => /opt/lib/ld-uClibc.so.0 (0x2aaa8000)
    
    But I don't see any tie-ins to OpenSSL; libcrypt.so.0 comes with libc. So I can't confirm if this package offers SSL or not. If not, you can open a ticket with the Entware folks (not here on this forum; use their own ticketing system please) and they can make a new package (ex. vsftpd-ext-ssl) that will do what you need + "just works".
     
  4. Iridescens

    Iridescens Reformed Router Member

    Well, no, I didn't use Optware, nor Entware. Vsftpd is built-in FTP daemon in Toastman's, which starts when you check it in GUI.
    The problem is that in ver 1.28.7500 it worked like a charm with SSL enabled and no additional effort from me. Sadly, upgrade broke that functionality.
    I wouldn't whine there if I could PM a Toastman, but he does not accept PMs.

    Anyway, koitsu, thank you for your suggestion!
     
  5. koitsu

    koitsu Network Guru Member

    Oh wow, I had no idea there was a built-in FTP server *laugh* How embarrassing; my apologies and my fault. Yes, I see it as /usr/sbin/vsftpd.

    Yeah, he doesn't accept PMs because people overwhelm him with support and other things, plus public posts leave a trail of often helpful information for others online who may have the same issue.

    Have you checked /var/log/vsftpd.log (I see it mentioned within the vsftpd binary itself) to see if there's anything in it? You might need to set debug_ssl=yes or try running vsftpd from the CLI manually to see if it spits out some errors to stderr/stdout to give you some idea of what's wrong (maybe a deprecated config option?).

    I will say your pasv_min_port, pasv_max_port, and pasv_address lines don't look right -- they have greater than and less than characters in them, which is weird. The documentation seems to imply these should contain integers and an IPv4 address respectively.
     
  6. Iridescens

    Iridescens Reformed Router Member

    Erm, that was done intentionally to conceal my IP and addresses ;)
    As for log and debug option - this is my next step, but I just hadn't had spare time back in 2013 to look thoroughly in to the matter.
     

Share This Page