I have turned this into a how-to and moved to: http://www.directadmin.com/forum/showthread.php?s=&threadid=16449
I got SSLv3 and TLSv1 working in ProFTPD. Thought I would share what I did for DiractAdmin developers so they can add this simple update to future releases and for anyone who wants to enable SSLv3 and TLSv1.
I just tested a regular shared FTP account and one in with it's own IP address in the proftpd.vhosts.conf file also.
My Test Server:
- Linux womp.h4xed.us 2.6.9-42.0.3.ELsmp #1 SMP Fri Oct 6 06:21:39 CDT 2006 i686 i686 i386 GNU/Linux
- CentOS 4.4
- 1 GB RAM
- 150GB Hard Drive
Following these instructions:
http://help.directadmin.com/item.php?id=82 with some small changes outlined in my setup below.
Configure Statement Changes:
Changed: --prefix=/usr/local
To: --prefix=/usr
Changed: --mandir=/usr/local/man
To: --mandir=/usr/man
Changed: --with-modules=mod_ratio:mod_readme
To: --with-modules=mod_ratio:mod_readme:
mod_tls
Uninstalled Current proftpd RPM:
Backup your config files just in case (uninstalled the RPM should rename /etc/proftpd.conf to /etc/proftpd.conf.rpmsave and leave the others untouched).
# mkdir /etc/proftpd.backups
# cp /etc/proftpd.* /etc/proftpd.backups/
# service proftpd stop
# rpm -e proftpd-standalone
# rpm -e proftpd
Build and Install proftpd From Source:
Now just follow the rest of
http://help.directadmin.com/item.php?id=82. After you make and make install proftpd and there were no errors installing you can copy the init.d script that the RPM removed. You will also need to copy your saved proftpd.conf to /etc/proftpd.conf, overwriting the one installed from source.
# cp /etc/proftpd.backups/proftpd.conf /etc/proftpd.conf
# cp contrib/dist/rpm/proftpd.init.d /etc/init.d/proftpd
# chmod +x /etc/init.d/proftpd
# chkconfig proftpd on
# service proftpd restart
At this point you should have a working proftpd install just as the original RPM was.
Add TLS/SSL Settings To Configuration and Templates:
To enable TLSv1 and SSLv3 I added the following under </Global> in /etc/proftpd.conf:
Code:
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off
# Server's certificate
TLSRSACertificateFile /etc/httpd/conf/ssl.crt/server.crt
TLSRSACertificateKeyFile /etc/httpd/conf/ssl.key/server.key
# CA the server trusts
TLSCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
</IfModule>
Then add these 7 lines inside each <VirtualHost></VirtualHost> in /etc/proftpd.vhosts.conf:
Code:
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSRSACertificateFile /etc/httpd/conf/ssl.crt/server.crt
TLSRSACertificateKeyFile /etc/httpd/conf/ssl.key/server.key
TLSCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
</IfModule>
We should also make sure the original template file is complete at /usr/local/directadmin/data/templates/proftpd.conf. Do the same to this file as you did to /etc/proftpd.conf.
Now make sure your template file /usr/local/directadmin/data/templates/proftpd.vhosts.conf has:
Code:
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSRSACertificateFile /etc/httpd/conf/ssl.crt/server.crt
TLSRSACertificateKeyFile /etc/httpd/conf/ssl.key/server.key
TLSCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
</IfModule>
added somewhere before the |EXTRA| token.
I also was able to compile the 1.3.0a source RPM by only changing the spec file to add mod_tls to the configure line just as we did from source. The RPM built fine. But I did not test the RPM yet. I assume it will work exactly as source does.
proftpd uses the same certificate files as httpd. Even the syntax is very similar. I just used the paths to the current default DirectAdmin httpd SSL certificate.
Information gathered on mod_tls and the configuration directives I got here:
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
Hope this information helps!
