How To Configure PureFTPd To Accept TLS Sessions On Ubuntu 10.10

Version 1.0
Author: Falko Timme
Follow me on Twitter

FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. This article explains how to configure PureFTPd to accept TLS sessions on an Ubuntu 10.10 server.

I do not issue any guarantee that this will work for you!


1 Preliminary Note

You should have a working PureFTPd setup on your Ubuntu 10.10 server, e.g. as shown in this tutorial: Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Management) On Ubuntu 10.10.

Make sure that you are logged in as root (type in

sudo su

to become root), because we must run all the steps from this tutorial as root user.


2 Installing OpenSSL

OpenSSL is needed by TLS; to install OpenSSL, we simply run:

aptitude install openssl


3 Configuring PureFTPd

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

If you want to accept TLS sessions only (no FTP), run

echo 2 > /etc/pure-ftpd/conf/TLS


To not allow TLS at all (only FTP), either delete /etc/pure-ftpd/conf/TLS or run

echo 0 > /etc/pure-ftpd/conf/TLS


4 Creating The SSL Certificate For TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]:
<-- Enter your State or Province Name.
Locality Name (eg, city) []:
<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "").
Email Address []:
<-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Finally restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS - see the next chapter how to do this with FileZilla.


5 Configuring FileZilla For TLS

In order to use FTP with TLS, you need an FTP client that supports TLS, such as FileZilla.

In FileZilla, open the Server Manager:

Select the server that uses PureFTPd with TLS; in the Server Type drop-down menu, select FTPES instead of normal FTP:

Now you can connect to the server. If you do this for the first time, you must accept the server's new SSL certificate:

If everything goes well, you should now be logged in on the server:


Share this page:

Suggested articles

7 Comment(s)

Add comment


By: scorp123

Why the hassle and not use SSH instead of this FTP+SSL rig? Even on Windows file transfer programs such as FileZilla, WinSCP and CyberDuck can easily handle SSH and its sub-protocols SCP and SFTP.

By: Paul

What if you don't want to give SSH access?

By: Zentoo

 If you don't want give SSH access (ie to a login shell) but you want use SFTP so use SSH:
-  unix account need only to have /sbin/nologin as login shell



By: jas

he does not want to give the users access to his entire file system.

he wants to jail them into a dir

By: Reyboz

Installed & configured properly accepting TLS sessions only. Thanks.

By: Learner

Falko, this tutorial was incredibly helpful and useful for me. The FTP feature does not work in a fresh install of Kloxo-MR panel. I've been trying for 3 days to get pure-ftpd to work there. Have tried tons of other "solutions." Yours is the only one that worked. Thank you!

By: Kaj

Getting GnuTLS-Fehler -110 in gnutls_record_recv: The TLS connection was non-properly terminated.

idk why