Support Proftpd/pureftpd SSL SNI using lets encrypt certificates

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,280
Location
Maastricht
Well pure-ftpd is supporting it. I just logged in to my server using FlashFXP.
I had to set it up to use TLSv1.2 though but it worked fine.
Code:
[R] Connecting to Richard G -> DNS=ftp.domain.nl IP=xxx.xxx.xx.xx PORT=21
[R] Connected to Richard G
[R] 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
[R] 220-You are user number 1 of 50 allowed.
[R] 220-Local time is now 01:32. Server port: 21.
[R] 220-This is a private system - No anonymous login
[R] 220-IPv6 connections are also welcome on this server.
[R] 220 You will be disconnected after 15 minutes of inactivity.
[R] AUTH TLS
[R] 234 AUTH TLS OK.
[R] TLSv1.2 negotiation successful...
 

Antiloop

New member
Joined
Mar 20, 2018
Messages
4
Well pure-ftpd is supporting it. I just logged in to my server using FlashFXP.
I had to set it up to use TLSv1.2 though but it worked fine.
Code:
[R] Connecting to Richard G -> DNS=ftp.domain.nl IP=xxx.xxx.xx.xx PORT=21
[R] Connected to Richard G
[R] 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
[R] 220-You are user number 1 of 50 allowed.
[R] 220-Local time is now 01:32. Server port: 21.
[R] 220-This is a private system - No anonymous login
[R] 220-IPv6 connections are also welcome on this server.
[R] 220 You will be disconnected after 15 minutes of inactivity.
[R] AUTH TLS
[R] 234 AUTH TLS OK.
[R] TLSv1.2 negotiation successful...
and how should we activate this in DirectAdmin?

when I connect to ftp I just get the SSL cert from the server itselve
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,932
Location
GMT +7.00
As far as I know directadmin does not install SNI certs into FTP server yet. So it can not work with SNI certs yet.

There is no option for it either.

Code:
# /usr/local/directadmin/directadmin c | grep sni -i
enable_ssl_sni=1
mail_sni=1
So you can use only hostname or add your custom domains into it.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,280
Location
Maastricht
when I connect to ftp I just get the SSL cert from the server itselve
Correct, but you asked for "something like", so I thought this would also be good.
Since there is indeed no sni ftp option this way you can at least have a TLS connection, without havig to do special setups for pure-ftpd.
 

tlweb

Verified User
Joined
Feb 23, 2015
Messages
14
Location
Netherlands
Pro-FTPd has support for SNI now. Maybe DA could build this in? Would be great to not have my customers have cert errors when logging into FTP.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,477
Location
LT, EU
SNI is enabled by default for pure-ftpd installations since CB 2.0 rev. 2074. Init.d setups require a new start/stop script, which should be available on all the mirrors in 24h.
 

Michel_B

New member
Joined
Apr 29, 2019
Messages
3
not sure if i am at the right spot as reply.
but since update to 1.49 from 1.47 via cb 2.0 rev 2075 centos 6.10 (final) Server Version 1.56.4
i have tls problems. ( i can still connect through plain text)
debug from filezilla

Status: Verbinding gemaakt, welkomstbericht afwachten...
Opsporen: CFtpControlSocket::OnReceive()
Antwoord: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Antwoord: 220-You are user number 4 of 50 allowed.
Antwoord: 220-Local time is now 10:44. Server port: 21.
Antwoord: 220-This is a private system - No anonymous login
Antwoord: 220-IPv6 connections are also welcome on this server.
Antwoord: 220 You will be disconnected after 15 minutes of inactivity.
Opsporen: CFtpLogonOpData::parseResponse() in state 1
Opsporen: CControlSocket::SendNextCommand()
Opsporen: CFtpLogonOpData::Send() in state 2
Opdracht: AUTH TLS
Opsporen: CFtpControlSocket::OnReceive()
Antwoord: 234 AUTH TLS OK.
Opsporen: CFtpLogonOpData::parseResponse() in state 2
Status: TLS initialiseren...
Opsporen: CTlsSocketImpl::Handshake()
Opsporen: CTlsSocketImpl::ContinueHandshake()
Opsporen: TLS handshake: About to send CLIENT HELLO
Opsporen: TLS handshake: Sent CLIENT HELLO
Opsporen: CTlsSocketImpl::OnSend()
Opsporen: CTlsSocketImpl::OnRead()
Opsporen: CTlsSocketImpl::ContinueHandshake()
Opsporen: CTlsSocketImpl::OnRead()
Opsporen: CTlsSocketImpl::ContinueHandshake()
Opsporen: CTlsSocketImpl::Failure(-110)
Fout: GnuTLS-fout -110: The TLS connection was non-properly terminated.
Status: Server heeft de TLS-verbinding niet goed gesloten
Status: Verbindingspoging mislukt met "ECONNABORTED - Verbinding verbroken".
Opsporen: CRealControlSocket::OnSocketError(106)
Opsporen: CRealControlSocket::DoClose(66)
Opsporen: CControlSocket::DoClose(66)
Opsporen: CFtpControlSocket::ResetOperation(66)
Opsporen: CControlSocket::ResetOperation(66)
Opsporen: CFtpLogonOpData::Reset(66) in state 4
Fout: Kan niet verbinden met server
Opsporen: CFileZillaEnginePrivate::ResetOperation(66)
 

Freddy

Verified User
Joined
Apr 14, 2016
Messages
45
I have updated Pure-FTPD but I still get warnings about the certificate when I connect with FileZilla. The certificate shows the server hostname even when I connect with the clients domain name. How do I fix this?

The actual error is: Hostname does not match certificate
 
Last edited:

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,477
Location
LT, EU
May you create a ticket at tickets.directadmin.com with access to the server?
 

Freddy

Verified User
Joined
Apr 14, 2016
Messages
45
sorry for the late post

have updated our dev environment
to cb rev 2090

still the same from filezilla
Try rebuilding pureftpd with the new CB version. I was having the same issue and that worked for me.

Code:
./build pureftpd
 

dave097

Verified User
Joined
May 8, 2014
Messages
113
The problem is that ftp.domainname doesn't work. If you enter mail.domainname, www.domainname or domainname, it will work. But, Martynas solved the problem:

wget -O /usr/local/bin/pureftpd_sni.sh custombuild.eu/pureftpd_sni.sh
 

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
888
SNI is enabled by default for pure-ftpd installations since CB 2.0 rev. 2074. Init.d setups require a new start/stop script, which should be available on all the mirrors in 24h.
I would think that since ProFTP can do SFTP, it would be better to implement SNI for ProFTP than PureFTP, and make ProFTP the default. ProFTP also uses standard .conf file to document and manage configuration options.
 
Last edited:
Top