Distroname and release: Debian Squeeze
ProFTPD with TLSIt is rather simple to get ProFTPD working with TLS / SSL, so you can get encryption on your FTP logins, and the transfers.
I asume, that you already have a running working ProFTPD installation, and you already have installed and configured OpenSSL, so this is ready to use. If not please take a look at the OpenSSL howto http://www.linuxlasse.net/linux/howtos/24 first so that you are ready to create the certificate.
Create the certificatesCreate an SSL directory that we will store our generated certificate and key file in.
#mkdir /etc/profpd/sslNow we can create the certificate for use with ProFTPD.
#openssl req -new -days 600 -key ca.key -out ftp.csr #sh sign ftp.csrCopy the newly created certificate, and the CA .key file as well to ssl directory.
Note that we will use an non-password CA key file! If you do not have this, at this time. Create it.
Creating an insecure CA key file.
#openssl rsa -in ca.key -out insecure_ca.key
#cp insecure_ca.key /etc/proftpd/ssl/ #cp ftp.crt /etc/proftpd/ssl/
ProFTPD ConfigurationWe want to make sure that mod_tls is loaded, when proftpd is running. The module is required for TLS / SSL usage.
Uncomment the line if it is commented out in the modules.conf file.
/etc/proftpd/modules.conf LoadModule mod_tls.cNext configure the TLS / SSL part of ProFTPD.
Add / Uncomment the following lines to the tls.conf file.
/etc/proftpd/tls.conf <IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 TLSRSACertificateFile /etc/proftpd/ssl/ftp.crt TLSRSACertificateKeyFile /etc/proftpd/ssl/insecure_ca.key #Require TLS / SSL, force encrypted logins and transfers only. TLSRequired off #Fix that some clients disconnects with SSL / TLS errors TLSOptions NoSessionReuseRequired </IfModule>Now we have configured the TLS / SSL part of ProFTPD, although we use the module, we need to load the settings in the tls.conf file.
This is done by including the tls.conf inside proftpd.conf.
/etc/proftpd/proftpd.conf Include /etc/proftpd/tls.confFinally we will need to restart proftpd
#/etc/init.d/proftpd restartNow, try to connect with the use of FTPES on your client.
You will get an certificate warning, because the certificate comes from an untrusted certificate authority (which is your own) unless, you have used example verisign, or you trust your own CA. So please just ignore/accept this warning if you get it.
Known issuesTLS Handshake violates protocol
Nov 17 09:31:11 mod_tls/2.1.2: TLS/TLS-C requested, starting TLS handshake Nov 17 09:31:32 mod_tls/2.1.2: unable to accept TLS connection: received EOF that violates protocol Nov 17 09:31:32 mod_tls/2.1.2: TLS/TLS-C negotiation failed on control channel Nov 17 09:31:37 mod_tls/2.1.2: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)The above is likely to happen if the server is behind a router or firewall that inspects packets on the default port 21.
In my case I tried to connect to the server from a location, where I was behind an ISA server. ISA does not support FTP with TLS, so I got this error.
It worked as soon, as I used another connection where I was not behind an ISA server.
An easy solution is to change the port, to example 2121 in the protpd.conf.
/etc/proftpd/proftpd.conf Port 2121Another option, could be to disable the filtering on the router/firewall/ISA server on port 21.
I know that there are detailed ISA informations on howto accomplish this.
Passive/active mode and ip_conntrakStandard active FTP ports are 20+21. If you are during passive FTP its port 21, and some "random" passive ports.
These passive ports must be opened in the firewall, UNLESS you use the ip_conntract_ftp module
modprobe ip_conntrack_ftpFor FTPS this is NOT possible. since the connection is encrypted and the module have no way of inspecting the connections.
Port20+21, where both ports must be opened in firewall
Port 21 AND Passive Ports, where port 21, and passive ports must be opened in firewall
Port 21, random ports and ip conntrack module, where only port 21 must be opened in firewall.
Active FTPS: Port20+21, where port 20+21 must be opened in firewall.
Port 21 AND Passive Ports, where these ports must be opened in firewall.