# enable mod_tls with proftpd

## DuF

I try to configure my proftpd server to use ssl/tls authentication and data transfer, but I didn't find any how-to for this, and the documentation on proftpd.org is really basic !

I think that I need to generate self certificate, but I don't know the best way to do this.

If someone have experience or know a good link to configure proftpd with mod_tls...

The following is what I try (disable verify tls authentication...) :

```
<VirtualHost duf.domainname.com>

 ServerName "Mon serveur FTP virtuel"

 Port                           10000

 Maxclients                     2

 MaxClientsPerHost              1

 DefaultRoot                    ~

 AccessGrantMsg                 "Bienvenue %u sur le serveur virtuel du DuF"

 TLSEngine                      on

 TLSRequired                    on

# TLSTimeoutHandshake           200

 TLSOptions                     NoCertRequest

 TLSVerifyClient                off

 <Limit LOGIN>

  AllowUser                     test_ssl

  DenyAll

 </Limit>

</VirtualHost>

```

I think that I need to follow that is describe here to generate my self certificates : http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html

But I'm not able to define what I really need !

----------

## DuF

UPDATE :

If I try to connect with ssl in my ftp client, in my log I only have a session opened, no error....

But now I can connect on my FTP, but without ssl  :Sad: 

```
03:44 [duf-ssl]: logging in                                                                                                                                     

03:44 [duf-ssl]: server doesnt support AUTH TLS.                                                                                                                
```

Any suggestions, Idea are welcome !

----------

## DuF

Please, anyone have informations, tutorials, link about it ?

----------

## xpunkrockryanx

this site seems to be a good starter as to what directives you'll want to use in your config file to get the mod_tls support working in proftpd:

http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html

i'm still reading up on openssl info to try to figure out exactly what i need to do to generate a self signed certificate. i'll post here again when/if i get that task completed.  :Smile: 

-ryan

----------

## xpunkrockryanx

well... generating certificates and handling them i've found out is fairly complex, and it would be redundant of me to now try to explain everything. here's some reading i'd recommend:

Create a self-signed certificate:

http://www.sial.org/howto/openssl/self-signed/

Brief how-to create an ssl key and certificate signing request (csr):

http://slacksite.com/apache/certificate.html

More thorough help on setting up a CA, signing certs, creating keys, managing them, etc. (recommended):

http://en.tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html

Brief proftpd.conf mod_tls example and help:

http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html

hope that helps! after spending an afternoon reading about all this, i was able to get my own CA working, and generated a cert and signed it, and i can distribute the CA cert so that people can install it easily from their browser. and proftpd works great with it also.

-ryan

----------

## Paulten

What client did you use to connect? 

I tried with lftp, but looks like he tries to communicate with SSHv3 which I don't think proftpd supports.

Here is my output with

lftp -u paul localhost

Password: 

lftp paul@localhost:~> ls                     

ls: Fatal error: SSL connect: sslv3 alert handshake failure

from the tls log :

Oct 14 15:10:46 mod_tls/2.0.6[6520]: using default OpenSSL verification locations (see $SSL_CERT_DIR)

Oct 14 15:10:46 mod_tls/2.0.6[6520]: TLS/TLS-C requested, starting TLS handshake

Oct 14 15:10:46 mod_tls/2.0.6[6520]: unable to accept TLS connection: error:00000001:lib(0):func(0):reason(1)

Oct 14 15:10:46 mod_tls/2.0.6[6520]: TLS/TLS-C negotiation failed on control channel

Using :

bash-2.05b# ftp -z ssl localhost

Connected to localhost.

220 ProFTPD 1.2.9rc2 Server (I am intraHouse) [gentoo.intrahouse.no]

Name (localhost:paul): proftpd

234 AUTH SSL successful

421 Service not available, remote server has closed connection

Login failed.

No control connection for command: Transport endpoint is not connected

Log :

Oct 14 15:14:14 mod_tls/2.0.6[6550]: SSL/TLS-P requested, starting TLS handshake

Oct 14 15:14:14 mod_tls/2.0.6[6550]: unable to accept TLS connection: error:00000001:lib(0):func(0):reason(1)

Oct 14 15:14:14 mod_tls/2.0.6[6550]: SSL/TLS-P negotiation failed on control channel

from proftpd.conf : 

    TLSEngine                      on

    TLSLog                      /var/log/proftpdtls.log

    TLSRequired                    on

   #TLSTimeoutHandshake           200

    TLSOptions                     NoCertRequest

    AccessGrantMsg                 "Welcome"

    TLSProtocol                 TLSv1

    TLSVerifyClient                off

Suggestions ?

Thanks

----------

## Paulten

update :

TLSProtocol                     SSLv23

lftp paul@gentoo.domain.no:~> ls

ls: Fatal error: SSL connect: sslv3 alert handshake failure

Log :

Oct 15 11:02:48 mod_tls/2.0.6[12038]: using default OpenSSL verification locations (see $SSL_CERT_DIR)

Oct 15 11:02:48 mod_tls/2.0.6[12038]: TLS/TLS-C requested, starting TLS handshake

Oct 15 11:02:48 mod_tls/2.0.6[12038]: unable to accept TLS connection: error:00000001:lib(0):func(0):reason(1)

Oct 15 11:02:48 mod_tls/2.0.6[12038]: TLS/TLS-C negotiation failed on control channel

----------

## Alrua

Did you ever find a solution to this problem?  :Smile: 

I seem to be having the same problem when setting up proftpd to use tls...   :Sad: 

----------

## Duhovej_Vil

mod_tls with proftpd mini-HOWTO

To have proftpd with mod_tls compiled in. 

```
USE="ssl" emerge proftpd
```

should be enough.

Get cert-tool from http://www.castaglia.org/openssl/contrib/cert-tool. Next, we will suppose that cert-tool is located in the directory /usr/local/cert-tool/. Some minor modifications has to be done in the script - correct variables $openssl and $c_rehash (at the beginning of the script) to match your system.

Cd into proftpd configuration dir

```

cd /etc/proftpd/

```

Create certification authority - CA. 

```
/usr/local/cert-tool/cert-tool --create-ca=root-ca --signing-ca=self --combined
```

Create certificate.

```
/usr/local/cert-tool/cert-tool --create-cert=server --signing-ca=root-ca.pem --signing-key=root-ca.pem --combined
```

Note1: I answer all questions here (If I just press enter here, the script failed. Maybe not all of the questions should be answered). If something does not work, try running the script with --verbose option. 

Note2: If you can not generate certificate, try to enter different dNSName.

Modify proftpd conf file

```

  <IfModule mod_tls.c>

    TLSEngine on

    TLSLog /var/log/proftpd/tls.log

    TLSProtocol TLSv1

    # Are clients required to use FTP over TLS when talking to this server?

    TLSRequired off

    # Server's certificate

    TLSRSACertificateFile /etc/proftpd/server.pem

    TLSRSACertificateKeyFile /etc/proftpd/server.pem

    # CA the server trusts

    TLSCACertificateFile /etc/proftpd/root-ca.pem

    # Authenticate clients that want to use FTP over TLS?

    TLSVerifyClient off

</IfModule>

```

Restart proftpd

```
/etc/init.d/proftpd restart
```

Note1: This worked for me. There may be some problems, but I don't know about them.

Note2:  I am not security expert. I believe this is secure. The following log from lftp (after debug command) says TLS is used.

```

lftp localhost:~> debug                       

lftp localhost:~> user testuser

Password: 

lftp testuser@localhost:~> ls

---- Connecting to localhost (127.0.0.1) port 21

<--- 220 ProFTPD 1.2.9 Server

---> AUTH TLS

<--- 234 AUTH TLS successful

Certificate depth: 1; subject: /CN=root-ca/C=US/ST=Washington/L=Seattle/O=Castaglia/OU=Castaglia Research and Development/OU=TJ Saunders/emailAddress=tj@castaglia.org; issuer: /CN=root-ca/C=US/ST=Washington/L=Seattle/O=Castaglia/OU=Castaglia Research and Development/OU=TJ Saunders/emailAddress=tj@castaglia.org

WARNING: Certificate verification: self signed certificate in certificate chain

Certificate depth: 0; subject: /CN=server/C=US/emailAddress=tj@castaglia.org/O=Castaglia/OU=Castaglia Research and Development/OU=TJ Saunders/ST=Washington; issuer: /CN=root-ca/C=US/ST=Washington/L=Seattle/O=Castaglia/OU=Castaglia Research and Development/OU=TJ Saunders/emailAddress=tj@castaglia.org

---> USER testuser

<--- 331 Password required for testuser.

---> PASS XXXX

<--- 230 User testuser logged in.  

---> PWD

<--- 257 "/home/testuser" is current directory.

---> PBSZ 0

<--- 200 PBSZ 0 successful

---> PROT P

<--- 200 Protection set to Private

---> PRET LIST 

<--- 500 PRET not understood

---> PASV

<--- 227 Entering Passive Mode (127,0,0,1,133,237).

---- Connecting data socket to (127.0.0.1) port 34285

---> LIST

<--- 150 Opening ASCII mode data connection for file list

...

---- Closing data socket

<--- 226 Transfer complete.

```

Used documents:

http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html

http://www.openssl.org/docs/HOWTO/certificates.txt

----------

## Paulten

Sorry I did not reply when you asked if I got it working. Yes I did. 

Anyhow Duhovej_Vil probably explained it better then I could have  :Smile:  nice  :Smile: 

http://paul.tenfjord.net/proftpd/

I put my config files and other usefull things at that location. Happy FTP'ing.

----------

