How to configure FTP server to support SSL/TLS?


(0 comments)

Full documentation to configure FTP server with proftpd is provided at http://www.proftpd.org. Here we confirm the configuration in practice.
In addition to the default configuration in Omarine, you add the configuration directives below.
First, load the mod_tls module



<IfModule mod_dso.c>
LoadModule mod_tls.c
</IfModule>


Then add the section <IfModule mod_tls.c>. The directives for the configuration have comments attached to explain:



<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/ftpd/tls.log

# Support both SSLv3 and TLSv1
TLSProtocol SSLv3 TLSv1

# We don't require clients to use FTP over TLS
TLSRequired off

# Server's RSA certificate, assume your server certificate file is server-cert.pem
# and the certificate's private key file is server-key.pem
TLSRSACertificateFile /etc/ftpd/server-cert.pem
TLSRSACertificateKeyFile /etc/ftpd/server-key.pem

# CA certificate file of the server, assume server.ca-bundle
TLSCACertificateFile /etc/ftpd/server.ca-bundle

# Do not authenticate clients over TLS
TLSVerifyClient off

# Do not force SSL/TLS renegotiations
TLSRenegotiate none

# Relax the requirement that the SSL session be reused for data transfers
TLSOptions NoSessionReuseRequired

</IfModule>

Which client works with the FTP server over TLS?
FileZilla is one of the most suitable clients. You can use the binary version or build it from source for use in Omarine. I am also using FileZilla.


Configuring the log
This is a supplement to the proftpd configuration in general. We often want to record anonymous activities. You add the following directive to the section <Anonymous ~ ftp>:


ExtendedLog /var/log/ftp.log read, write


Below is an example of the content being logged



Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required