How to configure FTP server to support SSL/TLS?

Full documentation to configure FTP server with proftpd is provided at http://www.proftpd.org. Here we confirm the configuration in practice.
In addition to the default configuration in Omarine, you add the configuration directives below.
First, load the mod_tls module

<IfModule mod_dso.c>
    LoadModule mod_tls.c
</IfModule>

Then add the section <IfModule mod_tls.c>. The directives for the configuration have comments attached to explain:

<IfModule mod_tls.c>
    TLSEngine on
    TLSLog /var/ftpd/tls.log

    # Support both SSLv3 and TLSv1
    TLSProtocol SSLv3 TLSv1

    # We don't require clients to use FTP over TLS
    TLSRequired off

    # Server's RSA certificate, assume your server certificate file is server-cert.pem
    # and the certificate's private key file is server-key.pem
    TLSRSACertificateFile /etc/ftpd/server-cert.pem
    TLSRSACertificateKeyFile /etc/ftpd/server-key.pem

    # CA certificate file of the server, assume server.ca-bundle
    TLSCACertificateFile /etc/ftpd/server.ca-bundle

    # Do not authenticate clients over TLS
    TLSVerifyClient off

    # Do not force SSL/TLS renegotiations
    TLSRenegotiate none

    # Relax the requirement that the SSL session be reused for data transfers
    TLSOptions NoSessionReuseRequired

</IfModule>

Which client works with the FTP server over TLS?
FileZilla is one of the most suitable clients. You can use the binary version or build it from source for use in Omarine. I am also using FileZilla.

Configuring the log
This is a supplement to the proftpd configuration in general. We often want to record anonymous activities. You add the following directive to the section <Anonymous ~ ftp>:

ExtendedLog /var/log/ftp.log read, write

Below is an example of the content being logged

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.