pure-ftpd SNI with letsencrypt?

Discussion in 'General' started by nhybgtvfr, Oct 28, 2020.

  1. nhybgtvfr

    nhybgtvfr Active Member

    i know, to date, the general recommendation to configure ftp is to use a single certificate, for the servers FQDN, and tell clients to use that for the host. obviously if a client tries using their own website domain to access ftp, it's ok for clear text, but will show cert warnings for TLS,
    which leads to lots of emails from clients asking about 'is it safe?', or 'what host do i use?' etc, or just going back to unencrypted ftp.
    i know some of you will suggest dropping ftp and just use ssh, but if clients struggle with ftp, they're not going to cope with ssh, especially since i would only allow key-based ssh access.

    however, i've found a document that suggests we can use SNI with pure-ftpd by using pure-certd. so i'm just asking here if anyone has actually managed to do this?
    if not, is it worth creating a feature request for it? if it can be made to work with ispconfig/letsencrypt i think it would make secure ftp a lot easier to setup and support whilst simultaneously reducing the amount of questions from clients, but not much point creating a feature request if i'm the only one who'd want it.

    i'm including the relevant part of the document below, the full link is here: https://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS

     
  2. ahrasis

    ahrasis Well-Known Member

    Personally, I don't think it's worth it.
     
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I imagine the suggestion is usually to switch to SFTP rather than FTP, and most ftp clients support both. Setting up only rsa key access for a client would be an issue, though not a huge one (most customers who can take instructions to configure their FTP program now would likely be able to follow instructions to paste in the keys, and those which need help following instructions for FTP would still need help to setup SFTP).

    I'd never considered pure-ftpd for SNI, but it is intriguing. It's a feature request for postfix/dovecot, and if that is ever implemented, keeping pure-ftpd in mind would make sense (it should be easier, as you already have http on all the ftp servers; not so with all mail servers).
     

Share This Page