Support Proftpd/pureftpd SSL SNI using lets encrypt certificates

Well pure-ftpd is supporting it. I just logged in to my server using FlashFXP.
I had to set it up to use TLSv1.2 though but it worked fine.
Code:
[R] Connecting to Richard G -> DNS=ftp.domain.nl IP=xxx.xxx.xx.xx PORT=21
[R] Connected to Richard G
[R] 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
[R] 220-You are user number 1 of 50 allowed.
[R] 220-Local time is now 01:32. Server port: 21.
[R] 220-This is a private system - No anonymous login
[R] 220-IPv6 connections are also welcome on this server.
[R] 220 You will be disconnected after 15 minutes of inactivity.
[R] AUTH TLS
[R] 234 AUTH TLS OK.
[R] TLSv1.2 negotiation successful...
 
Well pure-ftpd is supporting it. I just logged in to my server using FlashFXP.
I had to set it up to use TLSv1.2 though but it worked fine.
Code:
[R] Connecting to Richard G -> DNS=ftp.domain.nl IP=xxx.xxx.xx.xx PORT=21
[R] Connected to Richard G
[R] 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
[R] 220-You are user number 1 of 50 allowed.
[R] 220-Local time is now 01:32. Server port: 21.
[R] 220-This is a private system - No anonymous login
[R] 220-IPv6 connections are also welcome on this server.
[R] 220 You will be disconnected after 15 minutes of inactivity.
[R] AUTH TLS
[R] 234 AUTH TLS OK.
[R] TLSv1.2 negotiation successful...

and how should we activate this in DirectAdmin?

when I connect to ftp I just get the SSL cert from the server itselve
 
As far as I know directadmin does not install SNI certs into FTP server yet. So it can not work with SNI certs yet.

There is no option for it either.

Code:
# /usr/local/directadmin/directadmin c | grep sni -i
enable_ssl_sni=1
mail_sni=1

So you can use only hostname or add your custom domains into it.
 
when I connect to ftp I just get the SSL cert from the server itselve
Correct, but you asked for "something like", so I thought this would also be good.
Since there is indeed no sni ftp option this way you can at least have a TLS connection, without havig to do special setups for pure-ftpd.
 
Pro-FTPd has support for SNI now. Maybe DA could build this in? Would be great to not have my customers have cert errors when logging into FTP.
 
SNI is enabled by default for pure-ftpd installations since CB 2.0 rev. 2074. Init.d setups require a new start/stop script, which should be available on all the mirrors in 24h.
 
not sure if i am at the right spot as reply.
but since update to 1.49 from 1.47 via cb 2.0 rev 2075 centos 6.10 (final) Server Version 1.56.4
i have tls problems. ( i can still connect through plain text)
debug from filezilla

Status: Verbinding gemaakt, welkomstbericht afwachten...
Opsporen: CFtpControlSocket::OnReceive()
Antwoord: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Antwoord: 220-You are user number 4 of 50 allowed.
Antwoord: 220-Local time is now 10:44. Server port: 21.
Antwoord: 220-This is a private system - No anonymous login
Antwoord: 220-IPv6 connections are also welcome on this server.
Antwoord: 220 You will be disconnected after 15 minutes of inactivity.
Opsporen: CFtpLogonOpData::parseResponse() in state 1
Opsporen: CControlSocket::SendNextCommand()
Opsporen: CFtpLogonOpData::Send() in state 2
Opdracht: AUTH TLS
Opsporen: CFtpControlSocket::OnReceive()
Antwoord: 234 AUTH TLS OK.
Opsporen: CFtpLogonOpData::parseResponse() in state 2
Status: TLS initialiseren...
Opsporen: CTlsSocketImpl::Handshake()
Opsporen: CTlsSocketImpl::ContinueHandshake()
Opsporen: TLS handshake: About to send CLIENT HELLO
Opsporen: TLS handshake: Sent CLIENT HELLO
Opsporen: CTlsSocketImpl::OnSend()
Opsporen: CTlsSocketImpl::OnRead()
Opsporen: CTlsSocketImpl::ContinueHandshake()
Opsporen: CTlsSocketImpl::OnRead()
Opsporen: CTlsSocketImpl::ContinueHandshake()
Opsporen: CTlsSocketImpl::Failure(-110)
Fout: GnuTLS-fout -110: The TLS connection was non-properly terminated.
Status: Server heeft de TLS-verbinding niet goed gesloten
Status: Verbindingspoging mislukt met "ECONNABORTED - Verbinding verbroken".
Opsporen: CRealControlSocket::OnSocketError(106)
Opsporen: CRealControlSocket::DoClose(66)
Opsporen: CControlSocket::DoClose(66)
Opsporen: CFtpControlSocket::ResetOperation(66)
Opsporen: CControlSocket::ResetOperation(66)
Opsporen: CFtpLogonOpData::Reset(66) in state 4
Fout: Kan niet verbinden met server
Opsporen: CFileZillaEnginePrivate::ResetOperation(66)
 
I have updated Pure-FTPD but I still get warnings about the certificate when I connect with FileZilla. The certificate shows the server hostname even when I connect with the clients domain name. How do I fix this?

The actual error is: Hostname does not match certificate
 
Last edited:
May you create a ticket at tickets.directadmin.com with access to the server?
 
sorry for the late post

have updated our dev environment
to cb rev 2090

still the same from filezilla

Try rebuilding pureftpd with the new CB version. I was having the same issue and that worked for me.

Code:
./build pureftpd
 
The problem is that ftp.domainname doesn't work. If you enter mail.domainname, www.domainname or domainname, it will work. But, Martynas solved the problem:

wget -O /usr/local/bin/pureftpd_sni.sh custombuild.eu/pureftpd_sni.sh
 
SNI is enabled by default for pure-ftpd installations since CB 2.0 rev. 2074. Init.d setups require a new start/stop script, which should be available on all the mirrors in 24h.
I would think that since ProFTP can do SFTP, it would be better to implement SNI for ProFTP than PureFTP, and make ProFTP the default. ProFTP also uses standard .conf file to document and manage configuration options.
 
Last edited:
Back
Top