Distroname and release: Debian Squeeze

ProFTPD with TLS

It is rather simple to get ProFTPD working with TLS / SSL, so you can get encryption on your FTP logins, and the transfers.

I asume, that you already have a running working ProFTPD installation, and you already have installed and configured OpenSSL, so this is ready to use. If not please take a look at the OpenSSL howto http://www.linuxlasse.net/linux/howtos/24 first so that you are ready to create the certificate.

Create the certificates

Create an SSL directory that we will store our generated certificate and key file in.
#mkdir /etc/profpd/ssl
Now we can create the certificate for use with ProFTPD.
#openssl req -new -days 600 -key ca.key -out ftp.csr
#sh sign ftp.csr
Copy the newly created certificate, and the CA .key file as well to ssl directory.
Note that we will use an non-password CA key file! If you do not have this, at this time. Create it.

Creating an insecure CA key file.
#openssl rsa -in ca.key -out insecure_ca.key
#cp insecure_ca.key /etc/proftpd/ssl/
#cp ftp.crt /etc/proftpd/ssl/

ProFTPD Configuration

We want to make sure that mod_tls is loaded, when proftpd is running. The module is required for TLS / SSL usage.
Uncomment the line if it is commented out in the modules.conf file.
/etc/proftpd/modules.conf
LoadModule mod_tls.c
Next configure the TLS / SSL part of ProFTPD.
Add / Uncomment the following lines to the tls.conf file.
/etc/proftpd/tls.conf
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23

TLSRSACertificateFile                   /etc/proftpd/ssl/ftp.crt
TLSRSACertificateKeyFile                /etc/proftpd/ssl/insecure_ca.key

#Require TLS / SSL, force encrypted logins and transfers only.
TLSRequired off

#Fix that some clients disconnects with SSL / TLS errors
TLSOptions NoSessionReuseRequired
</IfModule>
Now we have configured the TLS / SSL part of ProFTPD, although we use the module, we need to load the settings in the tls.conf file.
This is done by including the tls.conf inside proftpd.conf.
/etc/proftpd/proftpd.conf
Include /etc/proftpd/tls.conf
Finally we will need to restart proftpd
#/etc/init.d/proftpd restart
Now, try to connect with the use of FTPES on your client.
You will get an certificate warning, because the certificate comes from an untrusted certificate authority (which is your own) unless, you have used example verisign, or you trust your own CA. So please just ignore/accept this warning if you get it.

Known issues

TLS Handshake violates protocol
Nov 17 09:31:11 mod_tls/2.1.2[29801]: TLS/TLS-C requested, starting TLS handshake
Nov 17 09:31:32 mod_tls/2.1.2[29801]: unable to accept TLS connection: received EOF that violates protocol
Nov 17 09:31:32 mod_tls/2.1.2[29801]: TLS/TLS-C negotiation failed on control channel
Nov 17 09:31:37 mod_tls/2.1.2[29802]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
The above is likely to happen if the server is behind a router or firewall that inspects packets on the default port 21.
In my case I tried to connect to the server from a location, where I was behind an ISA server. ISA does not support FTP with TLS, so I got this error.
It worked as soon, as I used another connection where I was not behind an ISA server.

Solution
An easy solution is to change the port, to example 2121 in the protpd.conf.
/etc/proftpd/proftpd.conf
Port				2121
Another option, could be to disable the filtering on the router/firewall/ISA server on port 21.
I know that there are detailed ISA informations on howto accomplish this.

Passive/active mode and ip_conntrak

Standard active FTP ports are 20+21. If you are during passive FTP its port 21, and some "random" passive ports.
These passive ports must be opened in the firewall, UNLESS you use the ip_conntract_ftp module
modprobe ip_conntrack_ftp
For FTPS this is NOT possible. since the connection is encrypted and the module have no way of inspecting the connections.

In short:
Active FTP:
Port20+21, where both ports must be opened in firewall
Passive FTP:
Port 21 AND Passive Ports, where port 21, and passive ports must be opened in firewall
OR
Port 21, random ports and ip conntrack module, where only port 21 must be opened in firewall.

Active FTPS: Port20+21, where port 20+21 must be opened in firewall.

Passive FTPS:
Port 21 AND Passive Ports, where these ports must be opened in firewall.
Do not trust the authors words! POC, tests and experience is key

Copyright LinuxLasse.net 2009 - 2024 All Rights Reserved.

Valid HTML 4.01 Strict Valid CSS!