We've deployed a new FreeBSD cloud server and configured it identically to our older ones, but it doesn't do vsftpd TLS file transfers well. Files of more than a few KBs hang at 0% on every client. Small file transfers are fine. Plain FTP has no issues.
We're suspecting something was fundamentally changed on FreeBSD 11 to cause this issue with an identical configuration; our other servers run on 10.
- Clearing the SSH cache on the client doesn't help
- Disabling the firewall doesn't help
- The issue cannot be replicated with the same version of vsftpd on older servers
- The logs don't show anything out of the ordinary
- The passive port range has been confirmed many times
- The same client has no issues with transferring files to older servers
- There's a ton of storage available
- Using a self-signed certificate instead doesn't help
- We've played with the file permissions of the certificate despite main (not worker) vsftpd process running as root
What are we missing?
Update: We thought we could no longer replicate the issue but it returned. We enabled SSL debugging (thanks to Aiden) and restarted vsftpd. The following can be found in the log. Naturally, we searched the internet again only to find no solution. We've decided to switch to sftp now.
Sun Sep 1 08:41:08 2019 [pid 61538] CONNECT: Client "193.200.80.188"
Sun Sep 1 08:41:08 2019 [pid 61538] DEBUG: Client "193.200.80.188", "SSL version: TLSv1/SSLv3, SSL cipher: ECDHE-RSA-AES256-GCM-SHA384, not reused, no cert"
Sun Sep 1 08:41:08 2019 [pid 61396] [test.user] OK LOGIN: Client "193.200.80.188"
Sun Sep 1 08:41:08 2019 [pid 61538] [test.user] DEBUG: Client "193.200.80.188", "SSL version: TLSv1/SSLv3, SSL cipher: ECDHE-RSA-AES256-GCM-SHA384, reused, no cert"
Sun Sep 1 08:41:08 2019 [pid 61538] [test.user] DEBUG: Client "193.200.80.188", "SSL shutdown state is: NONE"
Sun Sep 1 08:41:08 2019 [pid 61538] [test.user] DEBUG: Client "193.200.80.188", "SSL shutdown state is: SSL_SENT_SHUTDOWN"
Sun Sep 1 08:41:08 2019 [pid 61538] [test.user] DEBUG: Client "193.200.80.188", "SSL shutdown state is: 3"
You can allow SSL debugging, meaning openSSL connection diagnostics are recorded to the VSFTPD log file with the debug_ssl option and check further.
debug_ssl=YES