Results 1 to 19 of 19

Thread: Support Proftpd/pureftpd SSL SNI using lets encrypt certificates

  1. #1
    Join Date
    Mar 2018
    Posts
    4

    Support Proftpd/pureftpd SSL SNI using lets encrypt certificates

    has anyone acomplished something like the mail_sni support for dovecot/exim (https://www.directadmin.com/features.php?id=2019) but then for PROFTPD or PureFTPD ?

    I thought I found somewhere that cpanel or plesk supported this since a few days/months, but can not find that thread anymore

  2. #2
    Join Date
    Aug 2014
    Posts
    27
    I would be very interested in this as well...

  3. #3
    Join Date
    May 2008
    Posts
    824
    Sadly it is still not supported by proftpd:

    https://github.com/Castaglia/proftpd...ohost/issues/5

  4. #4
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,805
    Well pure-ftpd is supporting it. I just logged in to my server using FlashFXP.
    I had to set it up to use TLSv1.2 though but it worked fine.
    Code:
    [R] Connecting to Richard G -> DNS=ftp.domain.nl IP=xxx.xxx.xx.xx PORT=21
    [R] Connected to Richard G
    [R] 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    [R] 220-You are user number 1 of 50 allowed.
    [R] 220-Local time is now 01:32. Server port: 21.
    [R] 220-This is a private system - No anonymous login
    [R] 220-IPv6 connections are also welcome on this server.
    [R] 220 You will be disconnected after 15 minutes of inactivity.
    [R] AUTH TLS
    [R] 234 AUTH TLS OK.
    [R] TLSv1.2 negotiation successful...
    Greetings, Richard.

  5. #5
    Join Date
    Mar 2018
    Posts
    4
    Quote Originally Posted by Richard G View Post
    Well pure-ftpd is supporting it. I just logged in to my server using FlashFXP.
    I had to set it up to use TLSv1.2 though but it worked fine.
    Code:
    [R] Connecting to Richard G -> DNS=ftp.domain.nl IP=xxx.xxx.xx.xx PORT=21
    [R] Connected to Richard G
    [R] 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    [R] 220-You are user number 1 of 50 allowed.
    [R] 220-Local time is now 01:32. Server port: 21.
    [R] 220-This is a private system - No anonymous login
    [R] 220-IPv6 connections are also welcome on this server.
    [R] 220 You will be disconnected after 15 minutes of inactivity.
    [R] AUTH TLS
    [R] 234 AUTH TLS OK.
    [R] TLSv1.2 negotiation successful...
    and how should we activate this in DirectAdmin?

    when I connect to ftp I just get the SSL cert from the server itselve

  6. #6
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,311
    As far as I know directadmin does not install SNI certs into FTP server yet. So it can not work with SNI certs yet.

    There is no option for it either.

    Code:
    # /usr/local/directadmin/directadmin c | grep sni -i
    enable_ssl_sni=1
    mail_sni=1
    So you can use only hostname or add your custom domains into it.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  7. #7
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,805
    when I connect to ftp I just get the SSL cert from the server itselve
    Correct, but you asked for "something like", so I thought this would also be good.
    Since there is indeed no sni ftp option this way you can at least have a TLS connection, without havig to do special setups for pure-ftpd.
    Greetings, Richard.

  8. #8
    Join Date
    Feb 2015
    Posts
    8
    Pro-FTPd has support for SNI now. Maybe DA could build this in? Would be great to not have my customers have cert errors when logging into FTP.

  9. #9
    Join Date
    Mar 2011
    Location
    Hungary
    Posts
    88
    Quote Originally Posted by tlweb View Post
    Pro-FTPd has support for SNI now. Maybe DA could build this in? Would be great to not have my customers have cert errors when logging into FTP.
    +1 for that

  10. #10
    Join Date
    Aug 2006
    Location
    LT, EU
    Posts
    7,738
    SNI is enabled by default for pure-ftpd installations since CB 2.0 rev. 2074. Init.d setups require a new start/stop script, which should be available on all the mirrors in 24h.
    Martynas Bendorius
    MB Martynas IT. Professional server management company. Official DirectAdmin, CloudLinux, LiteSpeed and Comodo partners.

  11. #11
    Join Date
    Apr 2019
    Posts
    3
    not sure if i am at the right spot as reply.
    but since update to 1.49 from 1.47 via cb 2.0 rev 2075 centos 6.10 (final) Server Version 1.56.4
    i have tls problems. ( i can still connect through plain text)
    debug from filezilla

    Status: Verbinding gemaakt, welkomstbericht afwachten...
    Opsporen: CFtpControlSocket::OnReceive()
    Antwoord: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    Antwoord: 220-You are user number 4 of 50 allowed.
    Antwoord: 220-Local time is now 10:44. Server port: 21.
    Antwoord: 220-This is a private system - No anonymous login
    Antwoord: 220-IPv6 connections are also welcome on this server.
    Antwoord: 220 You will be disconnected after 15 minutes of inactivity.
    Opsporen: CFtpLogonOpData::ParseResponse() in state 1
    Opsporen: CControlSocket::SendNextCommand()
    Opsporen: CFtpLogonOpData::Send() in state 2
    Opdracht: AUTH TLS
    Opsporen: CFtpControlSocket::OnReceive()
    Antwoord: 234 AUTH TLS OK.
    Opsporen: CFtpLogonOpData::ParseResponse() in state 2
    Status: TLS initialiseren...
    Opsporen: CTlsSocketImpl::Handshake()
    Opsporen: CTlsSocketImpl::ContinueHandshake()
    Opsporen: TLS handshake: About to send CLIENT HELLO
    Opsporen: TLS handshake: Sent CLIENT HELLO
    Opsporen: CTlsSocketImpl::OnSend()
    Opsporen: CTlsSocketImpl::OnRead()
    Opsporen: CTlsSocketImpl::ContinueHandshake()
    Opsporen: CTlsSocketImpl::OnRead()
    Opsporen: CTlsSocketImpl::ContinueHandshake()
    Opsporen: CTlsSocketImpl::Failure(-110)
    Fout: GnuTLS-fout -110: The TLS connection was non-properly terminated.
    Status: Server heeft de TLS-verbinding niet goed gesloten
    Status: Verbindingspoging mislukt met "ECONNABORTED - Verbinding verbroken".
    Opsporen: CRealControlSocket::OnSocketError(106)
    Opsporen: CRealControlSocket:oClose(66)
    Opsporen: CControlSocket:oClose(66)
    Opsporen: CFtpControlSocket::ResetOperation(66)
    Opsporen: CControlSocket::ResetOperation(66)
    Opsporen: CFtpLogonOpData::Reset(66) in state 4
    Fout: Kan niet verbinden met server
    Opsporen: CFileZillaEnginePrivate::ResetOperation(66)

  12. #12
    Join Date
    Aug 2006
    Location
    LT, EU
    Posts
    7,738
    May you try rev. 2078?
    Martynas Bendorius
    MB Martynas IT. Professional server management company. Official DirectAdmin, CloudLinux, LiteSpeed and Comodo partners.

  13. #13
    Join Date
    Apr 2016
    Posts
    34
    I have updated Pure-FTPD but I still get warnings about the certificate when I connect with FileZilla. The certificate shows the server hostname even when I connect with the clients domain name. How do I fix this?

    The actual error is: Hostname does not match certificate
    Last edited by Freddy; 05-07-2019 at 02:07 AM. Reason: Added error message

  14. #14
    Join Date
    Apr 2019
    Posts
    3
    Quote Originally Posted by smtalk View Post
    May you try rev. 2078?
    sorry for the late post

    have updated our dev environment
    to cb rev 2090

    still the same from filezilla

  15. #15
    Join Date
    Aug 2006
    Location
    LT, EU
    Posts
    7,738
    May you create a ticket at tickets.directadmin.com with access to the server?
    Martynas Bendorius
    MB Martynas IT. Professional server management company. Official DirectAdmin, CloudLinux, LiteSpeed and Comodo partners.

  16. #16
    Join Date
    Apr 2019
    Posts
    3
    Quote Originally Posted by smtalk View Post
    May you create a ticket at tickets.directadmin.com with access to the server?
    i have to get back on that, and discuss to get access to the server.

  17. #17
    Join Date
    Apr 2016
    Posts
    34
    Quote Originally Posted by Michel_B View Post
    sorry for the late post

    have updated our dev environment
    to cb rev 2090

    still the same from filezilla
    Try rebuilding pureftpd with the new CB version. I was having the same issue and that worked for me.

    Code:
    ./build pureftpd

  18. #18
    Join Date
    May 2014
    Posts
    107
    The problem is that ftp.domainname doesn't work. If you enter mail.domainname, www.domainname or domainname, it will work. But, Martynas solved the problem:

    wget -O /usr/local/bin/pureftpd_sni.sh custombuild.eu/pureftpd_sni.sh

  19. #19
    Join Date
    Nov 2016
    Posts
    9
    Quote Originally Posted by tlweb View Post
    Pro-FTPd has support for SNI now. Maybe DA could build this in? Would be great to not have my customers have cert errors when logging into FTP.
    Hmm, this is still an issue though?
    How do you know proftpd supports SNI now?
    And how can we set it the easiest way in a DA setting?
    Last edited by firfin; 05-17-2019 at 07:26 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •