Pure-ftpd init script and SSL issue

[Richard G]

Issue 1 (init script).
I just installed another new server and by accident I checkend the init script of pure-ftpd and compared them to other servers.
In the pureftpd init script on 2 older servers in the second OPTIONS= line I see:

HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3"

On the 1 newer server and the one I installed today this line looks like this:

-S:HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3"

Is the -S: needed in the beginning? And if yes, why is this not updated on the older servers?

Issue 2 (SSL issue).
When you restart pureftpd in the logfile you will see this:

(?@?) [DEBUG] Couldn't load the DH parameters file /etc/ssl/private/pure-ftpd-dhparams.pem

This wasn't there before and we do not have an /etc/ssl/private directory.
But we can make an /etc/ssl/private directory and according what I've read on the cpanel forums, this can fix this notice:

openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048

Question is, is this a good fix and if yes, can the creation of the directory and this fix be implemented by default in Directadmin?

 

[Richard G]

Anybody some clue about this?

 

[zEitEr]

Hello,

'-J ': Sets the list of ciphers that will be accepted for SSL/TLS connections.For example: -J HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
Prefixing the list with -S: totally disables SSLv3.

http://unix.stackexchange.com/questions/168817/how-to-disable-sslv2-and-sslv3-in-pure-ftpd
ftp://ftp.slackbuilds.org/14.0/network/pure-ftpd/config/pure-ftpd.conf

 

[Richard G]

Thank you Zeiter, but it does not really answer my questions:

Is the -S: needed in the beginning? And if yes, why is this not updated on the older servers?

I can add the -S: manually, that's no problem. But since !SSLv3 is already present, why put the -S: in front? It's overkill isn't it? And if not, why is it not adjusted on older servers?

 

[Richard G]

Maybe zEitEr has an idea about this? Shoud I manually add it?

Any idea's on the SSL issue with pure-ftpd? Is that a good solution?

 

[zEitEr]

It was noticed that directadmin does not update init scripts, so it's up to you to update them to the latest version.

 

[Richard G]

Thank you zEitEr, but in that case it would be nice if somehow you could get notice if and which init scripts were changed.
I believe at this time there is no such possibility?

Any clues on the SSL issue of pureftpd? Could this be fixed so on a DA pure-ftpd installation this will be done automatically?