LL      IIIII NN   NN KK  KK EEEEEEE RRRRRR  RRRRRR   OOOOO  RRRRRR 
LL       III  NNN  NN KK KK  EE      RR   RR RR   RR OO   OO RR   RR
LL       III  NN N NN KKKK   EEEEE   RRRRRR  RRRRRR  OO   OO RRRRRR 
LL       III  NN  NNN KK KK  EE      RR  RR  RR  RR  OO   OO RR  RR 
LLLLLLL IIIII NN   NN KK  KK EEEEEEE RR   RR RR   RR  OOOOO  RR   RR
                                                           ramblings
____________________________________________________________________
Posted on: Wednesday, April 22nd, 2009 at 03:56.
Filed under: All, ServerAdmin.
RSS 2.0 feed for comments.
You can leave a response, or trackback from your own site.

If you’re ever working with vsftpd, and filezilla dumps out this error:

GnuTLS error -8: A record packet with illegal version was received

You’re not finding any relevant error messages in your vsftpd log file, nor in the xferlog, nor in /var/log/messages ?

Well, vsftpd seems to be horribly un-verbose. The cause of this error is not because of some obscure TLS problem. What’s causing it is vsftpd dumping out a plain-text error in the middle of the encrypted data stream, causing the ftp client to pop out this error.

The only way to debug this was by packet sniffing the actual connection with wireshark. Following the TCP stream with wireshark, the error I was looking for in the log files, was clearly visible at the end of the TLS encrypted data, before the connection dropped.

Something like:

\5_TXC,[1d.c}$D12N8(,"ndKm:?Y5O\M)5{nj2*Uaiym8-T4rt2c'#/K(
dvU2@:M.&.X=:-A*4aUm3:)!)y5Kt$'&"ZQN:'v%X500 OOPS: Cannot change directory: /foo

It turned out to be a simple permissions issue… .
Why vsftpd isn’t logging these to it’s own log file, or even syslogd, who knows. At the most verbose configuration, it is logging all sorts of things, except the actual error causing the problem!

Had encryption not been enabled in vsftpd, the error would have been visible in the FTP client.

So to any one encountering this, I would recommend either temporarily disabling encryption in vsftpd in order to see the error, or if that is not an option, use a packet sniffer to view the error.

I figured I would post this since google didn’t bring up much useful as I was debugging this. :)

pixelstats trackingpixel
____________________________________________________________________

14 Responses to “vsftpd debugging”

  1. mouser says:

    Awesome discovery.. that really is tricky isn’t it? What’s the point of an error log if you don’t log errors!

  2. Mathias says:

    Thanks a bunch for posting this! Just helped me out, big time.

  3. Daniel says:

    Thanks, this did it for me…

    quite a stinker in this respect, vsftpd

    Regards,

    Daniel

  4. Christophe says:

    Thanks a lot, i searched for a while, too.. !

  5. adeger says:

    Thanks for this great tip/observation. I was getting failures with encrypted PASV channel negotiations (due to a known but in VSFTPD 2.2.0) and couldn’t really see them until I retried unencrypted.

  6. Ferdinando says:

    Thanks a LOT from Italy!
    You’ve just allowed me to start an early weekend :-)
    I’ve set up VSFTPD with PAM+MySQL virtual users and TLS/SSL… and I forgot to create the virtual user homedir before connecting.
    Too bad that VSFTPD virtual user’s home directories cannot be created “on-the-fly”… or maybe via PAM??? Who knows… I’ll Google for it on Monday :-)

  7. peter says:

    This is great, still helping. Thanks!

  8. Srinivas says:

    Awesome! you saved me.
    Thanks,
    Srinivas

  9. ug says:

    Great information here. Not available at many places. In my case I had 700 perms and filezilla+Vsftpd threw this error. Moment I did 750 on my home dir, I saw the dir listing.

    alternatively I have decided to use below two lines in addition to chroot_local_user=YES.

    chroot_list_enable=YES
    chroot_list_file=/etc/vsftpd/chroot_list

    vsftpd/chroot_list has my username in it. With these three lines and 700 perms on my home directory, it still works fine. Didn’t need to make 750 in this case.

    Ofcourse I force SSL for login and data which i didn’t mention before, but all this is happening because of that so.. :)

  10. Hey! I understand this iis somewhat off-topic however I had to ask.
    Does managing a well-established website like yours take a lot of work?
    I am completely new to writing a blog hoever I do write in my
    journal everyday. I’d like to start a blpog so I will be able to
    share my own experience and feelings online. Please let
    me know if you havve any suggestions or
    tips foor brand new aspiribg bloggers. Appreciate it!

  11. Campagne Sms says:

    I don’t drop a comment, however I looked at a few of the responses on
    this page linkerror ramblings

  12. I think that is among the so much important info for
    me. And i’m happy reading your article. But should commentary on some general
    things, The website style is ideal, the articles is in point of fact nice : D.
    Good process, cheers

  13. My brother recommended I would possibly like this blog.

    He was once totally right. This publish truly made
    my day. You can not consider simply how so much time I had spent for this information!

    Thanks!

____________________________________________________________________

Leave a Reply