HOWTO_FTPS_ProFTPD-TLS_SSL

1 PROFTPD with TLS/SSL
- 1.1 Now for some explanation.
  - 1.1.1 Fire up proftpd
- 1.2 If it does not work

PROFTPD with TLS/SSL

Here's a howto for setting up ProFTPD with TLS/SSL support aka FTPS

First off install openssl and create the cert.

# emerge openssl

then add ssl to use flags edit /etc/make.conf

next install ProFTPD

# emerge proftpd

Now how do we create the certificate. no certificate no SSL. easy run the following command to create 1 certificate file and one key file with no encrytption(allows for automatic start of proftpd) if we encrypt these files everytime proftpd starts we have to enter a password to unlock the files. and they will be valid for a year.

openssl req -new -x509 -days 365 -nodes  -out /etc/ssl/certs/proftpd.crt.pem -keyout /etc/ssl/certs/proftpd.key.pem

You will be asked a lot of questions wich are completly safe to use the default. but its a good thing to enter some information for people to know who have made it.

Fire up your favorit editor and edit this file: /etc/proftpd/proftpd.conf then add the following under the global section.

TLSEngine                       on
TLSLog                          /var/log/proftpd/tls.log
TLSProtocol                     SSLv23
TLSRequired                     on
TLSVerifyClient                 off
TLSOptions                      NoCertRequest
TLSRSACertificateFile           /etc/ssl/certs/proftpd.crt.pem
TLSRSACertificateKeyFile        /etc/ssl/certs/proftpd.key.pem

Now for some explanation.

TLSEngine = [on, off] do we want encryption or not.
TLSLog = Path to logfile.
TLSProtocol = [SSLv3, TLSv1, SSLv23 (both SSLv3 and TLSv1)
TLSRequired = basicly what to encrypt. more info here ProFTP site
TLSVerifyClient = do we accept certificates from the client.
TLSOptions NoCertRequest = Client less buggy.
TLSRSACertificateFile = path to certificate file
TLSRSACertificateKeyFile = Path to key file

Fire up proftpd

/etc/init.d/proftpd start

connect with a client that supports FTPS and remeber to use explicit FTPS not implicit FTPS. Ther is clients that support both but implicit is deprecated and not used any more.

If it does not work

Is the server behind a Firewall?
Does it work if you disabled TLS? Is the Firewall FTP aware ( it listens on port 21 for the PORT command and automagicaly opens ports for the data channel) If so when we encrypt the control channel the firewall can noo longer listen for the PORT command and it wont work

Easy solution. Use Active mode on the client.
Port 21 is used for the control channel and in active mode control channel+1 is used for data channel so in this case port 22

port 22 is also used for SSH so its a bad thing to block that port with ftp. but port 20 the old telnet port at least I don't use it for any thing so specify in proftpd.conf that we want it to listen on port 20 instead of 21.
the line should look like this

Port       20

Now try to connect to port 20 with active mode and it should work fine.

However there is another solution
If we enter auth as value for TLSRequired. This means that only the authentication part of the control channel will be encrypted and not the rest. this gives the Firewall a chance to look for the PORT command.

Note: My firewall is FTP aware but when I use TLSRequired auth it freaks out and says illegal ftp command and closes the connection. it took me 2 days to figure out why this didnt work with TLS when it worked just fine without

--Alphacube 16:31, 23 January 2008 (UTC)

Retrieved from "http://www.gentoo-wiki.info/ProFTPd/Compiling_with_TLS_SSL_support"