vsftpd: add support for SSL/TLS encrypted FTP sessions

This commit enables SSL/TLS support in vsftpd, allowing FTP communications to be encrypted for improved security. SSL/TLS support is enabled by default, but to preserve compatibility with clients that do not support encrypted connections, this feature can be disabled at runtime. Users can simply comment or uncomment a few lines in the `vsftpd.conf` configuration file to toggle the behavior. Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
2025-06-12 11:19:58 +02:00 · 2025-06-12 11:19:58 +02:00 · 5947b0cc9c
parent bd71ef76e5
commit 5947b0cc9c
5 changed files with 124 additions and 1 deletions
--- a/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/0001-builddefs-add-support-to-OpenSSL.patch
+++ b/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/0001-builddefs-add-support-to-OpenSSL.patch
@ -0,0 +1,23 @@
+From: Arturo Buzarra <arturo.buzarra@digi.com>
+Date: Wed, 4 Jun 2025 09:15:27 +0200
+Subject: [PATCH] builddefs: add support to OpenSSL
+
+Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
+---
+ builddefs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/builddefs.h b/builddefs.h
+index 0106d1a..83de674 100644
+--- a/builddefs.h
+++ b/builddefs.h
+@@ -1,9 +1,9 @@
+ #ifndef VSF_BUILDDEFS_H
+ #define VSF_BUILDDEFS_H
+
+ #define VSF_BUILD_TCPWRAPPERS
+ #define VSF_BUILD_PAM
+-#undef VSF_BUILD_SSL
+#define VSF_BUILD_SSL
+
+ #endif /* VSF_BUILDDEFS_H */
--- a/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd-cert
+++ b/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd-cert
@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Generate self-signed certificate and key if they don't already exist
+if [ ! -f "/etc/##VSFTPD_PEM##" ] || [ ! -f "/etc/##VSFTPD_KEY##" ]; then
+	openssl req ##VSFTPD_KEY_SIGN_PKCS## ##VSFTPD_KEY_REQ_ARGS## \
+		-out /etc/##VSFTPD_PEM## \
+		-keyout /etc/##VSFTPD_KEY##
+	chmod 400 /etc/##VSFTPD_KEY##
+	echo "SSL/TLS certificate generated"
+else
+	echo "SSL/TLS certificate already exists"
+fi
--- a/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd-cert.service
+++ b/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd-cert.service
@ -0,0 +1,11 @@
+[Unit]
+Description=Vsftpd ftp daemon certificate generation
+Before=vsftpd.service
+ConditionPathExists=!/etc/##VSFTPD_PEM##
+
+[Service]
+Type=oneshot
+ExecStart=/etc/vsftpd-cert
+
+[Install]
+WantedBy=multi-user.target
--- a/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd.conf
+++ b/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd.conf
@ -18,3 +18,12 @@ connect_from_port_20=YES
 file_open_mode=0777
 local_umask=022
 anon_umask=022
+
+# These options specifies the location of the RSA certificate to use for SSL
+# encrypted connections.
+ssl_enable=YES
+rsa_cert_file=/etc/##VSFTPD_PEM##
+rsa_private_key_file=/etc/##VSFTPD_KEY##
+# SSL session reuse is enabled by default to enhance security.
+# Set to NO if clients have issues with data connections.
+#require_ssl_reuse=NO
--- a/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd_%.bbappend
+++ b/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd_%.bbappend
@ -1,7 +1,28 @@
-# Copyright (C) 2013-2019, Digi International Inc.
+# Copyright (C) 2013-2025, Digi International Inc.

 FILESEXTRAPATHS:prepend := "${THISDIR}/${BPN}:"

+SRC_URI:append = " \
+	${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'file://0001-builddefs-add-support-to-OpenSSL.patch', '', d)} \
+	${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'file://vsftpd-cert', '', d)} \
+	${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'file://vsftpd-cert.service', '', d)} \
+"
+
+RDEPENDS:${PN}:append = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', ' ${PN}-cert', '', d)}"
+
+PACKAGECONFIG:append = " openssl "
+PACKAGECONFIG[openssl] = ",,openssl"
+
+LDFLAGS += "${@bb.utils.contains('PACKAGECONFIG', 'openssl', '-lssl -lcrypto', '', d)}"
+
+VSFTPD_PEM ?= "vsftpd.pem"
+VSFTPD_KEY ?= "vsftpd.key"
+# args to openssl req (Default is -batch for non interactive mode and
+# -newkey for new certificate)
+VSFTPD_KEY_REQ_ARGS ?= "-nodes -batch -newkey rsa:2048"
+# Standard format for public key certificate
+VSFTPD_KEY_SIGN_PKCS ?= "-x509"
+
 do_install:append() {
    if ! test -z "${PAMLIB}" ; then
        # Access through Pluggable Authentication Modules (PAM)
@ -12,4 +33,51 @@ do_install:append() {
        echo "d /run/vsftpd/empty 0755 root root -" \
        > ${D}${sysconfdir}/tmpfiles.d/${BPN}.conf
    fi
+    if ${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'true', 'false', d)}; then
+        VSFTPD_PEM_BASE_NAME=$(basename ${VSFTPD_PEM})
+        VSFTPD_KEY_BASE_NAME=$(basename ${VSFTPD_KEY})
+        #  Install user certificate if provided
+        if [ -f "${VSFTPD_PEM}" ] && [ -f "${VSFTPD_KEY}" ]; then
+            install -m 0644 ${VSFTPD_PEM} ${D}${sysconfdir}/${VSFTPD_PEM_BASE_NAME}
+            install -m 0400 ${VSFTPD_KEY} ${D}${sysconfdir}/${VSFTPD_KEY_BASE_NAME}
+        fi
+
+        # Install systemd service
+        if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+            # Install systemd unit files
+            install -d ${D}${systemd_unitdir}/system
+            install -m 0644 ${WORKDIR}/vsftpd-cert.service ${D}${systemd_unitdir}/system/
+            sed -i -e "s@##VSFTPD_PEM##@${VSFTPD_PEM_BASE_NAME}@g" \
+                   "${D}${systemd_unitdir}/system/vsftpd-cert.service"
+        fi
+
+        # Install init script to generate certificate on target
+        install -d ${D}${sysconfdir}/init.d
+        install -m 0755 ${WORKDIR}/vsftpd-cert ${D}${sysconfdir}/vsftpd-cert
+        sed -i -e "s@##VSFTPD_PEM##@${VSFTPD_PEM_BASE_NAME}@g" \
+               -e "s@##VSFTPD_KEY##@${VSFTPD_KEY_BASE_NAME}@g" \
+               -e "s@##VSFTPD_KEY_SIGN_PKCS##@${VSFTPD_KEY_SIGN_PKCS}@g" \
+               -e "s@##VSFTPD_KEY_REQ_ARGS##@${VSFTPD_KEY_REQ_ARGS}@g" \
+               "${D}${sysconfdir}/vsftpd-cert"
+        ln -sf ${sysconfdir}/vsftpd-cert ${D}${sysconfdir}/init.d/vsftpd-cert
+
+        # Customize vsftpd.conf
+        sed -i -e "s@##VSFTPD_PEM##@${VSFTPD_PEM_BASE_NAME}@g" \
+               -e "s@##VSFTPD_KEY##@${VSFTPD_KEY_BASE_NAME}@g" \
+               "${D}${sysconfdir}/vsftpd.conf"
+    fi
 }
+
+PACKAGES =+ "${PN}-cert"
+FILES:${PN}-cert = " \
+    ${sysconfdir}/vsftpd-cert \
+    ${sysconfdir}/init.d/vsftpd-cert \
+    ${systemd_unitdir}/system/vsftpd-cert.service \
+"
+
+INITSCRIPT_PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'openssl', '${PN}-cert', '', d)}"
+INITSCRIPT_NAME:${PN}-cert = "vsftpd-cert"
+INITSCRIPT_PARAMS:${PN}-cert = "start 99 3 5 . stop 20 0 1 2 6 ."
+
+SYSTEMD_PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'openssl', '${PN}-cert', '', d)}"
+SYSTEMD_SERVICE:${PN}-cert = "vsftpd-cert.service"