LL      IIIII NN   NN KK  KK EEEEEEE RRRRRR  RRRRRR   OOOOO  RRRRRR 
LL       III  NNN  NN KK KK  EE      RR   RR RR   RR OO   OO RR   RR
LL       III  NN N NN KKKK   EEEEE   RRRRRR  RRRRRR  OO   OO RRRRRR 
LL       III  NN  NNN KK KK  EE      RR  RR  RR  RR  OO   OO RR  RR 
LLLLLLL IIIII NN   NN KK  KK EEEEEEE RR   RR RR   RR  OOOOO  RR   RR
                                                           ramblings
____________________________________________________________________
Posted on: Wednesday, April 22nd, 2009 at 03:56.
Filed under: All, ServerAdmin.
RSS 2.0 feed for comments.
You can leave a response, or trackback from your own site.

If you’re ever working with vsftpd, and filezilla dumps out this error:

GnuTLS error -8: A record packet with illegal version was received

You’re not finding any relevant error messages in your vsftpd log file, nor in the xferlog, nor in /var/log/messages ?

Well, vsftpd seems to be horribly un-verbose. The cause of this error is not because of some obscure TLS problem. What’s causing it is vsftpd dumping out a plain-text error in the middle of the encrypted data stream, causing the ftp client to pop out this error.

The only way to debug this was by packet sniffing the actual connection with wireshark. Following the TCP stream with wireshark, the error I was looking for in the log files, was clearly visible at the end of the TLS encrypted data, before the connection dropped.

Something like:

\5_TXC,[1d.c}$D12N8(,"ndKm:?Y5O\M)5{nj2*Uaiym8-T4rt2c'#/K(
dvU2@:M.&.X=:-A*4aUm3:)!)y5Kt$'&"ZQN:'v%X500 OOPS: Cannot change directory: /foo

It turned out to be a simple permissions issue… .
Why vsftpd isn’t logging these to it’s own log file, or even syslogd, who knows. At the most verbose configuration, it is logging all sorts of things, except the actual error causing the problem!

Had encryption not been enabled in vsftpd, the error would have been visible in the FTP client.

So to any one encountering this, I would recommend either temporarily disabling encryption in vsftpd in order to see the error, or if that is not an option, use a packet sniffer to view the error.

I figured I would post this since google didn’t bring up much useful as I was debugging this. :)

pixelstats trackingpixel
____________________________________________________________________

10 Responses to “vsftpd debugging”

  1. mouser says:

    Awesome discovery.. that really is tricky isn’t it? What’s the point of an error log if you don’t log errors!

  2. Mathias says:

    Thanks a bunch for posting this! Just helped me out, big time.

  3. Daniel says:

    Thanks, this did it for me…

    quite a stinker in this respect, vsftpd

    Regards,

    Daniel

  4. Christophe says:

    Thanks a lot, i searched for a while, too.. !

  5. adeger says:

    Thanks for this great tip/observation. I was getting failures with encrypted PASV channel negotiations (due to a known but in VSFTPD 2.2.0) and couldn’t really see them until I retried unencrypted.

  6. Ferdinando says:

    Thanks a LOT from Italy!
    You’ve just allowed me to start an early weekend :-)
    I’ve set up VSFTPD with PAM+MySQL virtual users and TLS/SSL… and I forgot to create the virtual user homedir before connecting.
    Too bad that VSFTPD virtual user’s home directories cannot be created “on-the-fly”… or maybe via PAM??? Who knows… I’ll Google for it on Monday :-)

  7. peter says:

    This is great, still helping. Thanks!

  8. Srinivas says:

    Awesome! you saved me.
    Thanks,
    Srinivas

  9. ug says:

    Great information here. Not available at many places. In my case I had 700 perms and filezilla+Vsftpd threw this error. Moment I did 750 on my home dir, I saw the dir listing.

    alternatively I have decided to use below two lines in addition to chroot_local_user=YES.

    chroot_list_enable=YES
    chroot_list_file=/etc/vsftpd/chroot_list

    vsftpd/chroot_list has my username in it. With these three lines and 700 perms on my home directory, it still works fine. Didn’t need to make 750 in this case.

    Ofcourse I force SSL for login and data which i didn’t mention before, but all this is happening because of that so.. :)

____________________________________________________________________

Leave a Reply