====== vsFTPd ======

FTP daemon config with SSL in debian


===== Generate a pem file from an official SSL certificate =====

  cat /etc/apache2/ssl/server.crt /etc/apache2/ssl/server.pem > /etc/vsftpd/server.pem 

if you have an intermediate, chained cert, include that as well:
  cat /etc/apache2/ssl/server_inter.crt >> /etc/vsftpd/server.pem

===== Generate a selfsigned pem file =====

  openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

===== SSL config options =====

excerpt from /etc/vsftpd.conf

  ssl_enable=YES
  allow_anon_ssl=NO
  force_local_data_ssl=NO
  force_local_logins_ssl=NO
  ssl_tlsv1=YES
  ssl_sslv2=YES
  ssl_sslv3=YES
  rsa_cert_file=/etc/vsftpd/server.pem
  require_ssl_reuse=NO
  pasv_enable=YES
  pasv_min_port=55000
  pasv_max_port=60000
  ftp_data_port=20
  listen_port=21


===== Client testing =====

offical cert:
  lftp -u username -e 'set ftp:ssl-force true' example.com


selfsigned cert:
  lftp -u username -e 'set ftp:ssl-force true' -e 'set ssl:verify-certificate false' example.com
  
===== Check cert =====
  openssl s_client -connect example.com:ftp -starttls ftp -showcerts