Many administrators struggle with VSFTPD's implicit SSL configuration because the documentation isn't explicit about port handling. The key issue is that implicit SSL requires a separate listener on port 990, while explicit SSL (the default) uses port 21.
Here's a working configuration that enables both implicit and explicit SSL:
listen=YES
listen_port=21
implicit_ssl=YES
listen_port6=990
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.key
The most important configuration lines are:
implicit_ssl=YES # Enables port 990 listener
listen_port6=990 # Explicitly sets IPv6 implicit SSL port
listen_port=21 # Explicit FTP port
Create your certificate with OpenSSL (Debian-specific paths):
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/vsftpd.key \
-out /etc/ssl/certs/vsftpd.pem
If the server fails to start:
- Check
/var/log/vsftpd.logfor errors - Verify certificate permissions (chmod 600 for private key)
- Test port availability:
netstat -tulnp | grep 990 - Ensure no other FTP server is running
For Debian's UFW firewall:
ufw allow 21/tcp
ufw allow 990/tcp
ufw allow 40000:50000/tcp # Passive ports range
Many administrators struggle with enabling Implicit SSL in VSFTPD because its implementation differs significantly from Explicit SSL. While the documentation mentions the implicit_ssl parameter, simply setting it to "YES" often leads to service failures without clear error messages.
Before proceeding, ensure you have:
sudo apt update
sudo apt install vsftpd opensslAnd a valid SSL certificate at /etc/ssl/certs/vsftpd.pem. If missing, create one:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/vsftpd.key \
-out /etc/ssl/certs/vsftpd.pemHere's a tested configuration that enables both Explicit and Implicit SSL modes:
listen=YES
listen_port=21
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
seccomp_sandbox=NO
# SSL Configuration
ssl_enable=YES
implicit_ssl=YES
listen_port=990
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.key1. The listen_port directive becomes port 990 when implicit_ssl=YES is set
2. You must explicitly set ssl_enable=YES before implicit_ssl
3. IPv6 must be disabled (listen_ipv6=NO) for this configuration to work properly
After saving the configuration, restart VSFTPD:
sudo systemctl restart vsftpdVerify both ports are listening:
sudo netstat -tulnp | grep vsftpdExpected output should show both ports 21 and 990.
Problem: Service fails to start
Solution: Check journal logs with journalctl -xe and ensure:
- Certificate paths are correct
- No port conflicts exist
- SELinux/AppArmor isn't blocking access
Problem: Clients can't connect to port 990
Solution: Verify firewall rules:
sudo ufw allow 990/tcp
sudo ufw allow 21/tcp