What were you trying to do that didn't work?

When trying to use ssl_tlsv1_3=YES to avoid allowing older insecure versions of tls vsftpd does not update FEAT output to show AUTH TLS as an available option. This is compounded by the fact that encryption is forced by default for regular user logins.

This leads to ftp clients that do NOT ignore FEAT and force AUTH TLS by default being unable to connect.

This works correctly on RHEL 8 but does not work on RHEL 9, I suspect this affects all versions of RHEL 9.

Note it currently does add AUTH TLS to the FEAT list but only if use_ssl_tlsv1=YES is enabled allowing older deprecated tls to be used also.

Please provide the package NVR for which bug is seen:

vsftpd-3.0.5-5.el9.x86_64

How reproducible:

Every time.

Steps to reproduce

Add the following to the default /etc/vsftpd/vsftpd.conf

   ssl_enable=YES
   ssl_tlsv1_3=YES
   rsa_cert_file=/etc/vsftpd/vsftpd.pem
   rsa_private_key_file=/etc/vsftpd/vsftpd.pem

Then create the certificate:

   openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

Then start vsftpd:

systemctl start vsftpd

On client run the following, this tells lftp to actually use FEAT output:

lftp -e "debug 13; set ftp:trust-feat yes;" username@hostname

Expected results

It should show AUTH TLS in FEAT output

Actual results

It does not show AUTH TLS in FEAT output, leading to clients that use FEAT output for FTP negotiation to fail to connect.