getting proftpd to work with TLS

Discussion in 'Server Operation' started by Ovidiu, Aug 4, 2006.

  1. Ovidiu

    Ovidiu Active Member

    hi there,

    I found severall tutorials and the result is this:

    my proftpd.conf

    the remaining problems are I get an error when trying to list the directories, meaning I can connect, see the basic structure but cannot double click on any subfolders.

    I googled around but all the posts I found on the net were talking about some firewall or NAT settings I am not concerned with as they do not apply to my configuration. without any encryption, just plain ftp everything is ok.

    any ideas? does anyone use proftpd with tls? do the users have to have shell access to be able to do that?

    I made certificates, don't bother asking about that :)
    btw. I will post the exact error (it started with error code 425..) on monday, I will got to a Fatboy Slim concert tonight and be on the way during the weekend - just posting in case anyone uses this configuration and can tell me how they did it.
    Last edited: Aug 4, 2006
  2. falko

    falko Super Moderator ISPConfig Developer

    I'm not quite sure, but I'd try this to see if it changes things...
    What's in /var/log/proftpd_tls.log?
  3. Ovidiu

    Ovidiu Active Member

    users with and without shel - same result. the exact error is this:

    but I have another suspicion: I am trying to connect from home, being on an internal lan connected to the outside through a router... does that change anything? should not as far as I understand, as I am not using passive ftp and using ftp without any encryption, kust plain ftp works.


    it seems the error lies with me being behind a router at home:

    Last edited: Aug 6, 2006
  4. falko

    falko Super Moderator ISPConfig Developer

    Then it seems to be an issue with your router's firewall...
  5. Ovidiu

    Ovidiu Active Member

    can anyone not behind a router or able to login to other ftp servers with tls spare 5 min and test if he can login with ftp (tls) into my server? I'll make a small testacount and give out the data so if you can spare 5 min send me a pm please
  6. jimmy

    jimmy New Member

    :) Maybe i can help here, i used the Proftpd with mysql howto from this site and added in tls support after the fact, adding in the tls was the touchiest(and toughest) part for me and took alot of experimentation to finaly get it right, the idea was to run proftpd over tls without having to change the default port and forcing us to make our customers to switch to new ftp clients. This works perfectly with the filezilla client (latest version)and coreftp which both include built in ftps support, I'll post the pertinent information from my setup and try to include some tips on the snags i encountered along the way.
    # Uncomment this if you would use TLS module:
    TLSEngine 			on
    TLSProtocol 			SSLv23
    TLSLog 				/var/log/proftpd/tls.log
    PassivePorts 			60000 65535
    # Clients are required to use FTP over TLS when talking to this server
    # off = clients can connect using insecure FTP or secure FTP/SSL
    # on  = clients can only connect using secure FTP/SSL
    # ctrl = ssl encryption on control channel only(encrypted uname and passwords)
    # data = data channel only encryption(file transfer data encrypted)
    TLSRequired 			on
    # Server's certificate
    TLSRSACertificateFile 		/path/to/your/ssl.crt
    TLSRSACertificateKeyFile 	/path/to/your/ssl.key
    # CA the server trusts
    TLSCACertificateFile 		/path/to/your/ca.crt
    Make note of the PassivePorts directive, this makes proftpd use that port range for passive mode ftp connections which is one of the keys to making this work make sure you allow that port range through your firewall. This works perfectly with the latest version of coreftp and filezilla client
    I found the following excerpt in the quote below to be most helpful concerning ftp behavior over tls when coupled with firewalls which can be found here

  7. Ovidiu

    Ovidiu Active Member

    well, thx, that advice sounded good but as a first try I tried stopping my firewall (on the server) and still no luck.

    I guess my problem is with my local setup, being behind a router.
    see this logs: being my laptops IP in my local lan so I guess here is the problem.

    or maybe it is here:

    this being an excerpt from the /var/log/proftpd_tls.log file - during the time I tried connecting. you see the connection succeeded but then the directory listing fails.

    so maybe someone not behind a router could test this for me?
  8. falko

    falko Super Moderator ISPConfig Developer

    I'm behind a router, but I can test anyway, if you want. Just pm me the login details.
  9. jimmy

    jimmy New Member

    You also might want to check and make sure you have passive mode ftp enabled in the client program. Sorry i forgot to add the details for configuring the clients, if using filezilla try going to file>site manager and create an ftp site profile, specify "FTP over SSL(explicit encryption) and edit>settings>firewall settings put a check in "limit local ports used by filezilla" and match the port range to the port range of the proftpd passive ports directive, you can also enable passive mode transfers there as well.
  10. Ovidiu

    Ovidiu Active Member

    thx jimmy,

    I did not try everything you suggested as I said, after disabling the firewall on the server it was still not working so why bother complicating matters and trying passive mode?
    AND I am interested in using proftp with TLS not FTP over SSL be it implicit or explicit.

    is there somewhere a judgemental mistake I am making? can someone see a flaw in the details I have posted in this thread? As far as I am concerned it should work.
  11. jimmy

    jimmy New Member

    This was simply the only workaround i found that worked after alot of hours of research, homework and banging my forehead on the desk to make ftps work well enough to run it on one of our production machines without issue(which it has been now for a few months) mine didnt work without the passive mode setup as i described with my firewall shut down either until i used this setup, now it works for me nice and firewalled by simply opening the necesary ports to allow a static port range to be available for passive ftp, which really now having looked at it more due to this thread i see no reason one couldnt narrow it down to a single port rather than a range though i havent tested that theory. this simply worked well for me, if you find another way to make it work well by all means do and let me know what you find, im always game to learn new tricks :)
    By specifying TLSProtocol SSLv23 in your conf with proftpd mod_tls your specifying compatibility mode which tells proftpd to use tlsv1 or sslv3 whichever is available..which is really 6 of one, half a dozen of the other if your using openssl as tls is simply the next generation of ssl and stems directly from it youll most likely have both available and may get either one with that directive set like that so if your wanting to use tls only excluding ssl you would need to change TLSProtocol to TLSv1 ..for this particular application thus far i've found from my testing of it that the ssl explicit encryption simply seems to work better and to be more performant for the transfers over the data channel though i can connect and transfer setting the client for either tls explicit or ssl explicit. this is what mine looks like using tls explicit via filezilla.
    meaning it did exactly what it was meant to do and logged me in, transferred the file quickly and efficiently and in the process not only did it encrypt the control channel(uname/pass combination) but also went the extra mile and encrypted the data channel(file transfer) as well for some purposes encrypting the data channel might be overkill and you could always set the tlsrequired directive to "ctrl" rather than "on" to make it only encrypt the control channel though myself i wanted to tighten the ftp security as much as possible which is why i went to these lengths to begin with rather than simply installing the proftpd with mysql and calling it a day.
    This was what i've attempted to do in this thread, this was how i did it and did make it work. Again if you find a better means to this end or another way for going about it feel free to share it with me as im always interested in improving my machines to the best of my ability and am always open to new methods to achieve those ends :)
  12. Ovidiu

    Ovidiu Active Member

    thx jimmy,
    I went over your sugestuion again and found this:

    it all works if you just set your client to use passive mode, set a PassivePorts range for proftpd and open this range inside the firewall.

    If you do this you can use whatever you want, TLS, SSL, implicit or explicit transfer mode ;-)

Share This Page