Enable SSL in Vsftpd

Discussion in 'Tomato Firmware' started by vlad_oz, Dec 13, 2010.

  1. vlad_oz

    vlad_oz Networkin' Nut Member

    I am using the latest version of Teddy Bear's Tomato (v1.28.9054 MIPSR2-beta K26 USB vpn3.6) build on an Asus RT-N16.

    I just discoverd that SSL support is not compiled into Vsftpd. When I specify the option 'ssl_enable=yes', vsftpd returns the message "500 OOPS: SSL: ssl_enable is set but SSL support not compiled in".

    Can we please add Vsftpd with compiled-in SSL to the next release of TomatoUSB.

    The Ext or VPN release would be the best place, as this is aimed at people who have plenty of Flash RAM.

    The reason why I want to use FTPS is because it transfers data much faster than with SCP or SFTP. When I am on the road, I regularly use FTPS to retrieve files from my home computer. I am currently running an FTPS server using IIS under Windows 7 Professional, but I want to connect my external hard drive directly to the router so that I can turn the PC off.

    Ordinary FTP is unsuitable because the passwords are transmitted as plaintext, which can be sniffed.
  2. vlad_oz

    vlad_oz Networkin' Nut Member

    Another alternative is for someone to compile a replacement vsftpd binary with SSL support enabled and show me how I can use it to replace the existing one under TomatoUSB without having to rebuild the TomatoUSB image.

    I am prepared to offer for money for this, if that is what it takes.
  3. rhester72

    rhester72 Network Guru Member

    I've compiled vsftpd 2.3.2 with SSL support. Installation and configuration is left as an exercise for the reader (or those more inclined to write HOWTOs), but it's a start. (It should be relatively straightforward, but I compiled with optware paths - I want to keep it as separate from the builtin as possible, since there's too much risk of collision otherwise.)

  4. vlad_oz

    vlad_oz Networkin' Nut Member

    Thanks Rodney, I have downloaded your wsftpd binary, but how do I get tomato to invoke it?

    When I try to run it from the command line, it says:

    "500 OOPS: vsftpd: not configured for standalone, must be started from inetd"

    Is there an editable inetd configuration file, or some other way for it to be invoked?

  5. rhester72

    rhester72 Network Guru Member

    From INSTALL:

    vsftpd can run standalone or via an inetd (such as inetd or xinetd). You will
    typically get more control running vsftpd from an inetd. But first we will run
    it without, so we can check things are going well so far.
    Edit /opt/etc/vsftpd.conf, and add this line at the bottom:
    This tells vsftpd it will NOT be running from inetd.
  6. vlad_oz

    vlad_oz Networkin' Nut Member

    Thanks Rodney - I actually discovered that step in the meantime after I posted that message. Then I ran into other problems. The vsftpd binary that I downloaded from your site claimed that there was a permissions problem accessing vsftpd.conf, even though I was running as root and the file was owned by root.

    As a result, I took the plunge by downloading and compiling openssl and vsftpd myself. I did it natively on my router using development tools downloaded from the optware repository.

    I downloaded the vsftpd 2.3.2 source from http://vsftpd.beasts.org/

    After many hours of getting the right compiler option, it is mostly working, but I have one small lingering problem - it is not recognising the vsftpd.conf option "passwd_file=/etc/vsftpd.passwd".

    Did I obtain the correct source distribution for vsftpd, or is there another one that has been customised for tomato?
  7. rhester72

    rhester72 Network Guru Member

    It looks like the Tomato source is pretty heavily patched - passwd_file is an option that looks like it may have had its start in Oleg's firmware (and there are likely several other patches as well).

    I've respun my repository to source from Tomato's customized version but compiled with SSL support - give it another try. If you still have issues with it reading the config file (I've verified that the path is correct, at least), let me know and I'll see if I can't help figure it out.

  8. vlad_oz

    vlad_oz Networkin' Nut Member

    Yeah, it would be nice if these patches could be placed in some repository, perhaps with details about them in a wiki. If they are that useful, perhaps they should be submitted to the maintainers of vsftpd to include in the mainstream distribution.

    It really sucks to find out these things through struggling and wasting time in front of a terminal.

    I had the same problem with your latest binary - it gave the same message complaining about the permissions of vsftpd.conf, but I downloaded your source and compiled that myself and that worked, so thanks!

    To get it to compile, I have to remove reference to the tomato include files in builddefs.h and make VSF_BUILD_SSL unconditional, but then it worked.
  9. vlad_oz

    vlad_oz Networkin' Nut Member

    I also want to point out to other people that Optware only comes with libssl and libcrypto 0.9.7, whereas vsftpd needs version 1.0.0 for produce working SSL support, otherwise you will get strange linker messages concerning "sha256".
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice