	Is there a domain name available for you?
	Search: For: ~ Advanced Search

Support Home > Hosting > VPS > Administration > FTP >

ProFTPD-with-TLS Configuration Directives

There are only a handful of TLS related directives that can be included in the proftpd.conf file. It is important to remember, however, that changing the values of any of these directives will be likely to have an adverse effect on the functionality of ProFTPd on your server.

There are three TLS directives that have significant impact on the performance of your FTP server. In addition, there are several directives that tell TLS where to look for specific files required for TLS-based authentication.

TlsRequired

This directive tells ProFTPD if it should accept non-TLS encrypted connections. Unless you are absolutely certain that every person who will be using FTP on your Virtual Private Server has a TLS-capable client using one of the allowed encryption ciphers, you should not change this.

The default value for TlsRequired is off. To force TLS-encrypted connections only, change the value to on.

TlsRequired                    off

TlsCertsOk

TLS uses certificates for verification similar to the way SSL uses them. Because of the potentially prohibitive nature of obtaining a signed certificate from a trusted authority, some people will use self-signed certificates. For Virtual Private Servers with SSL support, you can use your existing SSL certificate or the default *.securesites.com certificate.

The default setting on the Virtual Private Server allows you to use unsigned certificates when using FTP. To force only signed certificates, you can change the TlsCertsOk value to on.

TlsCertsOk                     off

TlsCipherList

The TlsCipherList directive tells ProFTPD what type of encryption to use. Depending on your FTP client, various ciphers may or may not be supported. The following is the directive with the default value.

TlsCipherList                  ALL:!EXP

Below is a segment from the README for setting the value for the TlsCipherList directive.

How to put together a  'cipher list string':
Key Exchange Algorithms:
  "kRSA"      RSA key exchange
  "kDHr"      Diffie-Hellman key exchange (key from RSA cert)
  "kDHd"      Diffie-Hellman key exchange (key from DSA cert)
  "kEDH'      Ephemeral Diffie-Hellman key exchange (temporary key)

Authentication Algorithm:
  "aNULL"     No authentication
  "aRSA"      RSA authentication
  "aDSS"      DSS authentication
  "aDH"       Diffie-Hellman authentication

Cipher Encoding Algorithm:
  "eNULL"     No encodiing
  "DES"       DES encoding
  "3DES"      Triple DES encoding
  "RC4"       RC4 encoding
  "RC2"       RC2 encoding
  "IDEA"      IDEA encoding

MAC Digest Algorithm:
  "MD5"       MD5 hash function
  "SHA1"      SHA1 hash function
  "SHA"       SHA hash function (should not be used)

Aliases:
  "ALL"       all ciphers
  "SSLv2"     all SSL version 2.0 ciphers (should not be used)
  "SSLv3"     all SSL version 3.0 ciphers
  "EXP"       all export ciphers (40-bit)
  "EXPORT56"  all export ciphers (56-bit)
  "LOW"       all low strength ciphers (no export)
  "MEDIUM"    all ciphers with 128-bit encryption
  "HIGH"      all ciphers using greater than 128-bit encryption
  "RSA"       all ciphers using RSA key exchange
  "DH"        all ciphers using Diffie-Hellman key exchange
  "EDH"       all ciphers using Ephemeral Diffie-Hellman key exchange
  "ADH"       all ciphers using Anonymous Diffie-Hellman key exchange
  "DSS"       all ciphers using DSS authentication
  "NULL"      all ciphers using no encryption

Each item in the list may include a prefix modifier:

  "+"         move cipher(s) to the current location in the list
  "-"         remove cipher(s) from the list (may be added again by
              a subsequent list entry)
  "!"         kill cipher from the list (it may not be added again
              by a subsequent list entry)

If no modifier is specified the entry is added to the list at the current 
position.  "+" may also be used to combine tags to specify entries such as 
"RSA+RC4" describes all ciphers that use both RSA and RC4.

For example, all available ciphers not including ADH key exchange:

  ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

All algorithms including ADH and export but excluding patented algorithms: 

  HIGH:MEDIUM:LOW:EXPORT56:EXP:ADH:!kRSA:!aRSA:!RC4:!RC2:!IDEA

The OpenSSL command 

  openssl ciphers -v list of ciphers 

may be used to list all of the ciphers and the order described by a specific
list of ciphers.

Other TLS Directives

There are some other directives that tell ProFTPD what files to check for secure certificates. You are not likely to need to change any of these values. The following shows the certificate file related directives with their default values.

TlsRsaCertFile                 ftpd-rsa.pem
TlsRsaKeyFile                  ftpd-rsa-key.pem
TlsDsaCertFile                 ftpd-dsa.pem
TlsDsaKeyFile                  ftpd-dsa-key.pem
TlsCrlFile                     ftpd-crl.pem
TlsDhParamFile                 ftpd-dhparam.pem