If you’re ever working with vsftpd, and filezilla dumps out this error:
GnuTLS error -8: A record packet with illegal version was received
You’re not finding any relevant error messages in your vsftpd log file, nor in the xferlog, nor in /var/log/messages ?
Well, vsftpd seems to be horribly un-verbose. The cause of this error is not because of some obscure TLS problem. What’s causing it is vsftpd dumping out a plain-text error in the middle of the encrypted data stream, causing the ftp client to pop out this error.
The only way to debug this was by packet sniffing the actual connection with wireshark. Following the TCP stream with wireshark, the error I was looking for in the log files, was clearly visible at the end of the TLS encrypted data, before the connection dropped.
Something like:
\5_TXC,[1d.c}$D12N8(,"ndKm:?Y5O\M)5{nj2*Uaiym8-T4rt2c'#/K(
dvU2@:M.&.X=:-A*4aUm3:)!)y5Kt$'&"ZQN:'v%X500 OOPS: Cannot change directory: /foo
It turned out to be a simple permissions issue… .
Why vsftpd isn’t logging these to it’s own log file, or even syslogd, who knows. At the most verbose configuration, it is logging all sorts of things, except the actual error causing the problem!
Had encryption not been enabled in vsftpd, the error would have been visible in the FTP client.
So to any one encountering this, I would recommend either temporarily disabling encryption in vsftpd in order to see the error, or if that is not an option, use a packet sniffer to view the error.
I figured I would post this since google didn’t bring up much useful as I was debugging this. :)
Awesome discovery.. that really is tricky isn’t it? What’s the point of an error log if you don’t log errors!
Thanks a bunch for posting this! Just helped me out, big time.
No problem! Thanks for reading! :)
Thanks, this did it for me…
quite a stinker in this respect, vsftpd
Regards,
Daniel
Thanks a lot, i searched for a while, too.. !
Thanks for this great tip/observation. I was getting failures with encrypted PASV channel negotiations (due to a known but in VSFTPD 2.2.0) and couldn’t really see them until I retried unencrypted.
Thanks a LOT from Italy!
You’ve just allowed me to start an early weekend :-)
I’ve set up VSFTPD with PAM+MySQL virtual users and TLS/SSL… and I forgot to create the virtual user homedir before connecting.
Too bad that VSFTPD virtual user’s home directories cannot be created “on-the-fly”… or maybe via PAM??? Who knows… I’ll Google for it on Monday :-)
This is great, still helping. Thanks!
Awesome! you saved me.
Thanks,
Srinivas
Great information here. Not available at many places. In my case I had 700 perms and filezilla+Vsftpd threw this error. Moment I did 750 on my home dir, I saw the dir listing.
alternatively I have decided to use below two lines in addition to chroot_local_user=YES.
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
vsftpd/chroot_list has my username in it. With these three lines and 700 perms on my home directory, it still works fine. Didn’t need to make 750 in this case.
Ofcourse I force SSL for login and data which i didn’t mention before, but all this is happening because of that so.. :)