Support Proftpd/pureftpd SSL SNI using lets encrypt certificates

[zEitEr]

SNI is required for FTPs only, it's not needed for SFTP. Implementing of SNI into ProFTPd might bring a need to manage individual hosts for existing domains in ProFTPd configs. This is what was abandoned by DirectAdmin some years ago. Not too sure how much they eager to implement it now.

So for now you've got two options:

- SFTP by ProFTPd
- FTP/FTPs with SNI by PureFTPd

What do other think?

 

[ikkeben]

I would think that since ProFTP can do SFTP, it would be better to implement SNI for ProFTP than PureFTP, and make ProFTP the default. ProFTP also uses standard .conf file to document and manage configuration options.

I hope not then the options to have per domain different ports haha joking

http://www.proftpd.org/docs/contrib/mod_sftp.html

FTP control channel, and separate TCP connections for each FTP data channel. The need for these multiple connections is undesirable for many network administrators, especially those that wish to restrict all protocols to a single TCP connection which can be passed through firewalls/NAT/router equipment. The network equipment, now, often inspects the application-level data in FTP packets in order to dynamically open the necessary firewall rules for the FTP data channels

 

[IT_Architect]

Implementing of SNI into ProFTPd might bring a need to manage individual hosts for existing domains in ProFTPd configs. This is what was abandoned by DirectAdmin some years ago. Not too sure how much they eager to implement it now.

I don't understand the meaning of that statement. I also don't understand how ProFTPd would be any different than PureFTPd. One way you maintain a conf file, and the other way you change a complex launch string in rc.d.

So for now you've got two options:
- SFTP by ProFTPd
- FTP/FTPs with SNI by PureFTPd
What do other think?

Which means with ProFTPd you gain the more secure and far less trouble SFTP, plugins like Apache that do many useful things, and a config file that documents the configuration, while with PureFTP our customer's customers no longer would have to work around a cert warning, but in order for FTP communication to be encrypted, you need to have a constantly open up a range of ports on the server that increases its attack surface and makes it more vulnerable because the firewall can no longer peek and dynamically open ports, no SFTP, which is far more robust and secure, and no config file that makes documentation maintenance practical. I don't understand how PureFTPd gets any respect. The only advantage I read is that PureFTPd has fewer security patches. A bicycle gets fewer recalls than a car too. The less a piece of software does, the easier it is to secure.

It appears the only thing saving PureFTPd from irrelevance is the lack of DirectAdmin support for ProFTPd's SNI. I have no idea how difficult that would be to achieve.

 

[Kal]

I stumbled over this thread while trying to work out why some FTPS clients get the hostname certificate (and throw the mismatch warning), while FileZilla gets the domain certificate, and connects without fuss. (I'm using default install of PureFTPd.) I still don't know the answer to that, but I have another question…

Why is SNI even required with Explicit SSL FTPS? With Implicit SSL, I can understand it, since the secure connection is established before any other communication. But with Explicit SSL, doesn't the client make its initial request in plain text, before the secure channel is established (and before login credentials are sent)? So shouldn't the server already know what certificate to use?

 

[Richard G]

So shouldn't the server already know what certificate to use?

I think not, because the FTP server is running on the hostname and an SSL certificate is limited to 1 domain and 1 ip normally. The SNI setting takes care that it allows a server to connect multiple SSL Certificates to one IP address and gate.
When not using the SNI my good guess is that the FTP would provide errors or refuse to connect to other domains than the server's hostname.
It's the same for mail. Without SNI, no ssl for mail. And you can use ssl on 465 or TLS on 587 but they both need SNI to work.
Seems to me it's the same for FTP. So even if the client makes the initial request, the server must be able to have multiple connects from different certificates to 1 domain, and that is the function which SNI provides.

Again, that's my good guess because this seems logic to me as to what SNI does.
Please correct me if I'm wrong.

 

[Kal]

You could be right, I really don't know. I just thought that the main point of SNI was to get the domain request to the server before the secure channel is established (to avoid the chicken and egg dilemma). I don't really understand the mechanics of it beyond that.

 

[IT_Architect]

I think not, because the FTP server is running on the hostname and an SSL certificate is limited to 1 domain and 1 ip normally. The SNI setting takes care that it allows a server to connect multiple SSL Certificates to one IP address and gate.

"Server Name Identification which is essentially where the SSL certificate will bind to a hostname/domain name instead of an IP address. "

You make a lot of sense. So what you are saying is Apache does, and we need ProFTPD and Exim to support it, or some kind of shim on the server level before wasting any more time trying to make this work.

 

[Richard G]

I'm not sure, I'm not that deep into technical English as I'm not native English. I'm only saying that SNI is necessary to be able to support multiple ssl domains on 1 ip which is not the case without SNI.
So without SNI no bind to hostname/domain name but to 1 single ip so no various ssl for variuos ftp accounts or domains. I'm not sure if Apache is needed as you can also request an SSL certificate for only mail or only ftp if I'm correct.
Seems not needed for sFTP so that confuses me a bit.
Might be better if somebody with more deepgoing knowledge on this could verify or confute my thoughts on this.

 

[IT_Architect]

What I was saying was:
- IF you run PHP-FPM with the new Apache, it has HTTP 2 plus supports multiple domains per IP. If you run MOD_PHP it does not.
- Email and FTP do not have support for it. Therefore what is needed are versions of these that do.

 

[Richard G]

So you are saying that if you run php-fpm with new apache and http2, you wouldn't need SSL SNI for using letsencrypt on multiple domains?
That seems incorrect to me, or I still don't understand you correctly.

Do you have documentation on this? Because what I read is that http2 does not have the 6-8 limits a browser can make various connections to 1 domain or something like that. Multiplexing.

Another important requirement for HTTP/2 over TLS is that “TLS implementation MUST support the Server Name Indication (SNI).” SNI, already supported by newer browsers, improves the efficiency of SSL Certificates to verify multiple domains.

To me this clearly states it does not replace SNI but it's a requirement.
You can read this here:

Welcome to the Web, HTTP/2

HTTP/2 is a new protocol expected to improve Internet connectivity speeds and the standard of Internet security.

www.digicert.com