1As of vsftpd version 2.0.0, SSL / TLS support is provided. 2 3The SSL / TLS support provides the ability to encrypt FTP logins and subsequent 4commands, as well as the data transfers themselves. The encyption will, for 5example, stop the stealing of sensitive passwords via network snooping. 6 7By default, SSL support is disabled both at compile time and at runtime. 8Before considering enabling / using SSL support, there are some security 9considerations: 10 11- Only enable SSL if absolutely necessary. Enabling SSL will allow attackers 12to make use of any security problems in the OpenSSL libraries. Note that 13the OpenSSL libraries are a large quantity of code and have had the occasional 14security problem in the past. 15For example, your server might use virtual users to control access to 16non-sensitive download content. In this case, the passwords might not be 17worth securing with SSL. 18 19- After enabling SSL, consider restricting access to an SSL enabled server 20where feasible. For example, only the internal network might need access. 21 22 23In order to enable and use SSL support, you need the following: 24 25- vsftpd built with OpenSSL support. This is a decision your vsftpd packager 26made, or if you are building vsftpd yourself, edit "builddefs.h" and change the 27"#undef VSF_BUILD_SSL" to "#define VSF_BUILD_SSL". 28- "ssl_enable=YES" in your vsftpd.conf. 29- A SSL certificate. By default, an RSA certificate is looked for at the 30location /usr/share/ssl/certs/vsftpd.pem. To get an RSA certificate, either 31buy one from a certificate authority, or you can create your own self-signed 32certificate. If you have OpenSSL installed, you may find a "Makefile" in 33your shared certificates directory, e.g. /usr/share/ssl/certs. In that case, 34go to that directory and type e.g. "make vsftpd.pem". Then answer the 35questions you are asked. Alternatively, read the man page for "openssl". 36- Also be aware of the following SSL related parameters. Read the vsftpd.conf.5 37manual page to learn about them: allow_anon_ssl, force_local_logins_ssl, 38force_local_data_ssl, ssl_sslv2, ssl_sslv3, ssl_tlsv1, rsa_cert_file, 39dsa_cert_file, ssl_ciphers. 40 41