How do I get around this? Filezilla seems to think that I want to access the internet. The only nodes that will be accessing the FTP server are on 10.1.1.0/24. All the answers that I have found here talk about opening ports on my router which I have no intention of doing. I don't need secure TLS access, just plain old FTP. Enable Explicit FTP over TLS On the TLS settings page check 'allow Explicit FTP over TLS.' It is recommended to also check 'Disallow plain unencrypted FTP' and 'Force PROT P to encrypt file transfers when using FTP over TLS'. This will further enforce encryption policies; here PROT 'P' is for 'Private' as opposed to 'C' for clear text.
- Botg wrote:Note that implicit FTP over TLS, by virtue of not having been standardized by a recognized standards body, is deprecated. Consider using explicit FTP over TLS instead. OK, that's been done by removing the listen port (default 990) and enabling port 21 in General settings. 1) Just remove 21 from the list of FTP ports.
- Do not retry connecting if not trusting certificate on FTP over TLS connections; Better reporting of handshake failures on FTP over TLS connections.nix: Check for xdg-open. This program from the xdg-utils is an indirect runtime dependency. It is used by wxWidgets to open URLs in the default browser; Refactored most of the tabbing code.
- Protocol: FTP - File Transfer Protocol + Encryption: (Pick One of these) 'Use explicit FTP over TLS if available' OR 'Require explicit FTP over TLS' OR 'Require implicit FTP over TLS' is the FTP (#1) connection, plus the use of a TLS connection, which means an SSL.
Filezilla: The server’s certificate is unknown error prevents you from connecting to your server over secure FTP connection.
As now all is moving to https it’s also good to enable SSL/TLS for FTP to protect plain text login credentials.
As you can see on the above screenshot, the server SSL certificate seems to be expired, even though we know that this is not the case.
Obviously the FTP server is pulling the the wrong certificate.
Step #1: Find the SSL Server Configuration File
Let’s click on “Status” of the FTP Server:
This is what we see:
From this wee see that the configuration file is
Step #2: Find The SSL Certificate File Used By FTP Server
You can see it on the following line:
Step #3: Examine The SSL Certificate File
Let’s enter the following date in the SSH Console or Putty:
As we can see, the certificate contained in this file expired on Jan 4, 2020
This expiration date matches the date shown in red on Filezilla (see featured image of this post).
Step #4: Install SSL for FTP
Our instruction will guide you to install and configure pure-ftpd to use SSL/TLS.
Hostname certificate needs to be already installed, check that these files exist:
In this case
- Main SSL folder = /etc/pki/tls/
- Certificate folder = /etc/pki/tls/certs/
- Private key folder = /etc/pki/tls/
Create Certificate File for pure-ftpd
Warning: Make sure the above paths, file names and extensions are fully correct.
The above commands simply create a hostname.pem file by merging your host’s private key and its certificate.
Then the permission is set to 600.
Step #5: Failed To Retrieve Directory Listing (Explicit FTP over TLS)
Unless you modify your server settings, you will get this error:
Status: Connection established, waiting for welcome message…
Command: USER XXXXXX
Password required for user
Command: PASS *********
Status: Retrieving directory listing…
Error: Failed to retrieve directory listing
Therefore the following steps are needed:
To to allow FTP and TLS sessions, set TLS to 1:
Then remove the # in front of the following 2 lines and make sure they point to the right file:
Set Passive Port Range in PureFTPD:
and save the altered configuration file.
Note: On some servers you may be unable to directly edit the configuration file. In that case download it from the server, edit it in Notepad and re-upload it.
Now configure the firewall to accept incoming connections on CSF firewall.
You can do the following steps:
- Edit /etc/csf/csf.conf and look for the line that begins with: TCP_IN
- add 60000:60100 to TCP_IN section.
- Reload the config in the firewall
First, you'll want to create a certificate, this can be used in the Certificate Generator in FileZilla Server. The Generator will want the country code, state, city, etc...Be as truthful as possible, you only undermine your own credibility if you enter wrong information into the certificate.
The key size for the certificate is chosen at the top of the generator: 1280 bit, 2048 bit, 4096 bit.The bigger the key size the more secure the certificate and the initial session key exchange on every connection will be. There is however one thing that needs to be taken into account, CPU utilization during the connection handshake. When you apply encryption to your FileZilla server the CPU will have to do many calculations to encrypt the data being sent and decrypt the data being received.Bandwidth will also play a factor in how much the CPU is being utilized. If you have a slower connection, let's say around 1.5Mbps up you may not have to worry about CPU utilization as much. The best way to decide is to test.
Please note that FZS needs the paths to the certificate files:If you generate your own private key and certificate without putting a path in front of the file name, FZS only puts the bare filename in the certificate field without an error notice, but later you will get 'Could not load certificate file' errors in the FZS log when someone tries to connect via FTPS/FTPES (Implicit/Explicit).
Therefore always put the full path to the private key and certificate files in their corresponding fields and FZS can find the files.
After you have created the certificate enter its name and folder path location into the 'Private key file' field or browse to it.
If your server has a direct connection to the internet the configuration is simple, check 'Enable FTP over TLS support (FTPS)'.
More FTPS documentation is available here.
Configure with NAT
Please read the Network Configuration guide for instructions on how to configure the server behind NAT devices (Router, Firewall, etc).
Enable Explicit FTP over TLS
On the TLS settings page check 'allow Explicit FTP over TLS.' It is recommended to also check 'Disallow plain unencrypted FTP' and 'Force PROT P to encrypt file transfers when using FTP over TLS'. This will further enforce encryption policies; here PROT 'P' is for 'Private' as opposed to 'C' for clear text. If you only want certain groups or users to have encryption you can set that up in the user or group editor. If there is data you still want available to the general public the 'Force' setting should be disabled in the server settings menu, as you will need an FTP client rather than a web browser to access the FTP server. If using 'PROT P - Private', the client may require a matching TLS setting or it may default to PROT C.
Another option you should enable is 'Require TLS session resumption on data connection when using PROTP P' as it protects against data connection theft.
Setting up your FTP server in this way allows you to encrypt your data and login information without having to get 3rd party programs. With explicit TLS you will need an FTP client. Internet Explorer and Firefox don't support TLS without special plugins. FileZilla client supports FTPS both implicit (FTPS:// protocol), and explicit (FTPES://).