Support Proftpd/pureftpd SSL SNI using lets encrypt certificates

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,932
Location
GMT +7.00
SNI is required for FTPs only, it's not needed for SFTP. Implementing of SNI into ProFTPd might bring a need to manage individual hosts for existing domains in ProFTPd configs. This is what was abandoned by DirectAdmin some years ago. Not too sure how much they eager to implement it now.

So for now you've got two options:

- SFTP by ProFTPd
- FTP/FTPs with SNI by PureFTPd

What do other think?
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
690
Location
Netherlands Germany
I would think that since ProFTP can do SFTP, it would be better to implement SNI for ProFTP than PureFTP, and make ProFTP the default. ProFTP also uses standard .conf file to document and manage configuration options.
I hope not then the options to have per domain different ports haha joking ;)

http://www.proftpd.org/docs/contrib/mod_sftp.html

FTP control channel, and separate TCP connections for each FTP data channel. The need for these multiple connections is undesirable for many network administrators, especially those that wish to restrict all protocols to a single TCP connection which can be passed through firewalls/NAT/router equipment. The network equipment, now, often inspects the application-level data in FTP packets in order to dynamically open the necessary firewall rules for the FTP data channels
 

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
888
Implementing of SNI into ProFTPd might bring a need to manage individual hosts for existing domains in ProFTPd configs. This is what was abandoned by DirectAdmin some years ago. Not too sure how much they eager to implement it now.
I don't understand the meaning of that statement. I also don't understand how ProFTPd would be any different than PureFTPd. One way you maintain a conf file, and the other way you change a complex launch string in rc.d.

So for now you've got two options:
- SFTP by ProFTPd
- FTP/FTPs with SNI by PureFTPd
What do other think?
Which means with ProFTPd you gain the more secure and far less trouble SFTP, plugins like Apache that do many useful things, and a config file that documents the configuration, while with PureFTP our customer's customers no longer would have to work around a cert warning, but in order for FTP communication to be encrypted, you need to have a constantly open up a range of ports on the server that increases its attack surface and makes it more vulnerable because the firewall can no longer peek and dynamically open ports, no SFTP, which is far more robust and secure, and no config file that makes documentation maintenance practical. I don't understand how PureFTPd gets any respect. The only advantage I read is that PureFTPd has fewer security patches. A bicycle gets fewer recalls than a car too. The less a piece of software does, the easier it is to secure.

It appears the only thing saving PureFTPd from irrelevance is the lack of DirectAdmin support for ProFTPd's SNI. I have no idea how difficult that would be to achieve.
 
Last edited:
Top