Date: Wed, 29 Jul 2009 12:42:43 -0700
From: "Ken Marcus - Precision Web Hosting, Inc." <kenlists (at mark) precisionweb.net>
Subject: [coba-e:15844] Fw: Re: FTP - TLS/SSL Support? - Updated Instructions
To: <coba-e (at mark) bluequartz.org>
Message-Id: <BCD41E0FC0BB4407A93D151D3D88434E@OfficeKen>
X-Mail-Count: 15844
> ----- Original Message -----
> From: "Tom MÍler-Kortkamp"
>
>> Hi,
>>
>> i've just one include-line in the <global>-part like
>> include /etc/proftpd.conf.tls
>>
>> with the following content (I use the dovecot-certs):
>> # cat /etc/proftpd.conf.tls
>> <IfModule mod_tls.c>
>> TLSEngine on
>> TLSLog /var/log/ftp-tls.log
>> TLSRequired off
>> TLSRSACertificateFile /etc/pki/dovecot/certs/dovecot.pem
>> TLSRSACertificateKeyFile /etc/pki/dovecot/private/dovecot.pem
>> TLSVerifyClient off
>> TLSOptions NoCertRequest
>> TLSRenegotiate required off
>> </IfModule>
>>
>> So I just have to add one line when prefs got lost/deleted.
>>
>> Just my 5 ct ...
>>
>> tmueko
>>
>> Am 29.05.2008 um 06:56 schrieb Jim Scott:
>>
>>> I had to make a correction to my last post. It seems that the
>>> configuration I was showing only enabled TLS/SSL on the main IP
>>> address. If you have multiple IP's bound to a box it would not work on
>>> any of the virutalhosts.
>>>
>>> I changed the configuration to put most of the config in <Global></
>>> Global> and the directive TSLProtocol is not allowed in Global so had
>>> to be put outside. I tested after these changes and I can now connect
>>> on any IP address that is on my box. Also the blog was updated with the
>>> new instructions.
>>>
>>> <IfModule mod_tls.c>
>>> TLSProtocol TLSv1
>>> </IfModule>
>>>
>>> # Restore file permissions capability to site administrator
>>> <Global>
>>> # Report localtime, not GMT
>>> TimesGMT off
>>> ServerIdent on "FTP Server"
>>> IdentLookups off
>>>
>>> <IfModule mod_tls.c>
>>> TLSEngine on
>>> TLSLog /var/log/tls.log
>>>
>>> # Are clients required to use FTP over TLS when talking to this
>>> server?
>>> TLSRequired off
>>>
>>> # Server's certificate
>>> TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem
>>> TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem
>>>
>>> # Authenticate clients that want to use FTP over TLS?
>>> TLSVerifyClient off
>>>
>>> # Allow SSL/TLS renegotiations when the client requests them, but
>>> # do not force the renegotations. Some clients do not support
>>> # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
>>> # clients will close the data connection, or there will be a timeout
>>> # on an idle data connection.
>>> TLSRenegotiate required off
>>>
>>> </IfModule>
>>>
>>> </Global>
>>>
>
>>
>>
>
> I was able to get this to work finally. In case anyone else had trouble
> with it, here is the info.
>
> The code I inserted into the <global> section of the /etc/proftpd.conf
> was:
>
> <IfModule mod_tls.c>
> TLSEngine on
> TLSLog /var/log/tls.log
> TLSRequired off
> TLSOptions NoCertRequest
> TLSRSACertificateFile /etc/admserv/certs/certificate
> TLSRSACertificateKeyFile /etc/admserv/certs/key
> TLSVerifyClient off
> TLSRenegotiate required off
> </IfModule>
>
>
> I previously had used a different template that did not have the
> "TLSOptions NoCertRequest"
> in the code.
> Now that I added "TLSOptions NoCertRequest", it does work.
>
> Since I use a cert (for the siteadmin login) on my servers that is already
> at
> /etc/admserv/certs/certificate
> then I used that path.
>
> In my FTP software, Secure FX, since I use a wildcard cert, I set it to
> "Disable Certificate Validation"
> And, also in my FTP software, Secure FX,
> I set it to "FTP over SSL (explicit)"
>
> The "FTP over SSL (implicit)" does not work.
>
>
>
> ----
> Ken Marcus
> Ecommerce Web Hosting by
> Precision Web Hosting, Inc.
> http://www.precisionweb.net
>
>
>
>
>
>