Koozali.org: home of the SME Server

ProFTPd + TLS

Offline Jáder

  • *
  • 1,099
  • +0/-0
    • LinuxFacil
ProFTPd + TLS
« on: June 19, 2019, 03:37:09 AM »
I need to have FTP... it's not an option, it's a order from my boss. :(
I'll open FTP just to a fixed IP partner... so it's less than HORRIBLE!

I'd like to use ProFTPd with TLS... can it be done ?

Regards

Jáder
...

Offline Jáder

  • *
  • 1,099
  • +0/-0
    • LinuxFacil
Re: ProFTPd + TLS
« Reply #1 on: June 19, 2019, 11:07:40 AM »
I'd like to use ProFTPd with TLS... can it be done ?

I've found this URL: https://www.tecmint.com/enable-ssl-on-proftpd-in-centos/

and created a fragment like:
Code: [Select]
[root@lobo proftpd.conf]# cat tls.conf
<IfModule mod_tls.c>
TLSEngine                               on
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             SSLv23

#TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
TLSRSACertificateFile /home/e-smith/ssl.crt/<FQDN>.crt

#TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key
TLSRSACertificateKeyFile /home/e-smith/ssl.key/<FQDN>.key

#TLSCACertificateFile                                     /etc/ssl/certs/CA.pem
TLSOptions                      NoCertRequest EnableDiags NoSessionReuseRequired
TLSVerifyClient                         off
TLSRequired                             on
TLSRenegotiate                          required on
</IfModule>

on /etc/proftpd/enabled_modules directories as instructed. (note this directory was created with -p because it do not exists before).
I used same cert as for HTTP site (copy path from httpd.conf)

But I'm not sure if this is right or if I miss something obvious because it's not working yet :)
...

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: ProFTPd + TLS
« Reply #2 on: June 21, 2019, 11:36:01 AM »
Quote
I need to have FTP... it's not an option, it's a order from my boss

Have you not printed this out from that web page in big letters and shown him?

"FTP protocol was designed as an insecure protocol and all data and passwords are transferred in plain text, making the job of a third party very easy to intercept all FTP client-server transactions, especially usernames and passwords used in authentication process."

Tell him from me he is an idiot.

Ask if he would leave the keys to his house in the front door, or in his nice shiny car.

Show him my comments.....

Use SCP - WinSCP works fine on Windows I believe.

Or put ftp in private mode and make him use a VPN.

Quote
I used same cert as for HTTP site (copy path from httpd.conf)

No idea but I would follow their setup to start with. Test it with created openssl certs first. You can change them later.

Quote
But I'm not sure if this is right or if I miss something obvious because it's not working yet :)

Check the logs - what do they tell you?

If you get it to work I guess we can template it and maybe add it to the ftp module.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation