ProFTPd with TLS/SSL ?

kilgore · Unread post by **kilgore** » Sun Jan 16, 2005 7:10 am

Dear,

Do you know if it's possible to use SSL/TLS with ProFTPd-psa ?

Best regards,

Kilgore

Unread post by **scott** » Sun Jan 16, 2005 12:32 pm

Yep, you can do it, heres the HOWTO:
http://www.castaglia.org/proftpd/doc/co ... O-TLS.html

kilgore · Unread post by **kilgore** » Sun Jan 16, 2005 1:02 pm

Thanks for your help, just few questions :

- have you already try this on a PSA server ?
- is the FTP still available on port 21 without SSL/TLS support ? (only few of my customers want to use FTP over SSL/TLS)

Best regards,

Kilgore

Unread post by **scott** » Sun Jan 16, 2005 1:33 pm

Nope, I use scp or rsync

kilgore · Unread post by **kilgore** » Mon Jan 17, 2005 6:29 pm

Well I also use SCP and RSync but I'm sure you could understand that I don't want to provide shell access to my user so they can do SCP

I'm waiting for a test machine to test SSL/TLS on ProFTPd. Dell is quite slow this time...

Regards,

Kilgore

Unread post by **scott** » Mon Jan 17, 2005 10:59 pm

Plus Im sure your clients arent running an OS that could use scp or rsync anyway

NVarra · Unread post by **NVarra** » Wed Jan 19, 2005 6:23 pm

I've been fighting to get the proftpd.spec & mod_quota patch from SW-Soft for over a month now to do just this...

The final reply was the following:

Dear Shaun,

we've got the answer from the development team. They decided to enable mod_tls in proftpd by themselves. This feature will be included into the nearest Plesk build 7.5.2 that should be releared in some days soon. Please watch our website for an announcement about new patches.

Still not what I was after, but it's better than nothing I suppose.

Unread post by **scott** » Wed Jan 19, 2005 11:17 pm

I probably wouldnt hold my breath for a .spec file, patches with GPL code on the other hand is a different story.

Fenice · Unread post by **Fenice** » Sun Jan 28, 2007 4:50 pm

Sorry to bump an old thread, but this is the same problem I am facing in these days.

Proftpd over SSL can be configured easily in Plesk. The problem is that the version of Proftpd shipping with Plesk is unable to support SSL connection only on the auth phase in the control channel using the CCC command (you can read about this in the link scott gave for proftpd). This was added in more recent versions of ProFTPd.

If you are using FTP over SSL, without the CCC, since ip_conntrack_ftp is obviously unable to retrieve the passive port number in the control channel connection (because all info on the control channel is encrypted), you have to leave a whole black hole of always open ports in your firewall for passive connections. Without SSL, you can just leave the control channel open, and the passive ports will be opened dynamically.

So, one could just install ProFTPd from one of the packages available, but the problem is that ProFTPd for Plesk comes compiled with a custom module, mod_quota, written by SWSoft to work with Plesk. I tried asking them, but I was unable to know what exactly this module does that the standard mod_quota module is unable to do.

Is there some way to go around this without breaking Plesk, or without switching from FTP to another protocol?

breun · Unread post by **breun** » Sun Jan 28, 2007 6:18 pm

Which version of ProFTPd does support this then? Plesk 8 and 8.1 come with ProFTPd 1.3.0.

Fenice · Unread post by **Fenice** » Sun Jan 28, 2007 8:46 pm

I think ProFTPd should support it from version 1.3.0, and this makes lack of support in the version shipped with Plesk 8.1 (which as you said should be 1.3.0) for the CCC command strange.

Anyhow, when I try to add TLSRequired auth+data in the config file in place of TLSRequired on, I get a syntax error.

My guess is SwSoft compiled proftpd with an older version of mod_tls. Which makes impossible for us to recompile proftpd since we lack SwSoft's quota module (on a note, the latest release of ProFTPd includes a new mod_quota module).