File: README.TLS

package info (click to toggle)
pure-ftpd 1.0.47-3
  • links: PTS
  • area: main
  • in suites: buster
  • size: 3,212 kB
  • sloc: ansic: 29,132; sh: 1,632; makefile: 500; perl: 280
file content (245 lines) | stat: -rw-r--r-- 9,003 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245


         ------------------------ TLS SUPPORT ------------------------

Pure-FTPd supports encryption of the control and data channels using
TLS security mechanisms. Support for encrypted commands began with
version 1.0.16, and encryption of the data channel has been
implemented in version 1.0.22.

When this extra security layer is enabled, login and passwords are no more
sent as cleartext. Neither are other commands sent by your client nor replies
made by the server.


         ------------------------ COMPILATION ------------------------

To support TLS, the OpenSSL library must already be installed on your
system. This is a common requirement so your operating system probably
already ships with it.

Pure-FTPd also has to be configured with the --with-tls switch before
compilation :

  ./configure --with-tls ...
  make install-strip

If something goes wrong, try to bring your OpenSSL library up-to-date.


        ------------------------ CERTIFICATES ------------------------

To use TLS, you must provide a file called /etc/ssl/private/pure-ftpd.pem
with a private key for your host and the related certificate.

The location can be changed at compile-time with the --with-certfile option
passed to ./configure.

A certificate is similar to an identity card. You fill a form with a set of
personal info, then you have some trusted third-party bash an official stamp
onto it to confirm its validity.

If you already have a certificate for another service on the same host
(commonly for HTTPS/HTTP2), you can use it as well with Pure-FTPd and other
TLS-enabled services.

If you don't have any certificate, you have to get one. Make a Google search
for "SSL certificates" to find authorities that will provide certificates with
valid "official" signatures.

Once you have a valid and stamped certificate, clients will usually be able
to seamlessly connect to your host.

Both RSA and ECDSA signatures are supported, but not simultaneously.

For testing purposes, a self-signed certificate can be created as follows:

mkdir -p /etc/ssl/private

openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048

openssl req -x509 -nodes -newkey rsa:2048 -sha256 -keyout \
  /etc/ssl/private/pure-ftpd.pem \
  -out /etc/ssl/private/pure-ftpd.pem

chmod 600 /etc/ssl/private/*.pem

In this example, 2048 is the number of bits used for the RSA key.

Here's what the /etc/ssl/private/pure-ftpd.pem should look like :

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDV8A/fexof9ttn
uqpwCxXN3C019v40ByGqlfmg8SbTnkjtyt5FLw3ICoxBbQtQ65aYSAv5KtiGQbuc
BZC+FGbR3rIokvHnbhsdLvIvWym+W+VR6U2P8VnbHWd3iSe0xMeTwGJgP9TC8r+c
KfLX9a8EkTKL2iAVRhXuu/it7/A3T2rEomBRWGpmbE+AT69vP2T5ruQ9D7w21GcG
S6ylqlfhRBy61ct3WI1jVR2W5BOXfE8LxgGuJYt0XY+dTrluqen9li8w5ju+3tlA
9PsIl4ckjmYBZm1E7LqoSYDbIh/8D4kUQFLFm6xf27cUOEg3uYAJo5x3SfYlKsSm
6PKzhzDIKcJ1896XG2AHOdIby9VoL8mZwjuMkmmrl1yro++g4XNnMIaTkajPgFzr
NxQ195lXAgMBAADCggEBAMoqmCVc5Dwuf/mO+T72Cr3FgefMJz4tOxBDt2jyWfmC
S3KC0fZY19IgvZeaHyZx6pavBrmIVqLQfSScUcJ97wgGRR94dSZ48yBp260KnfDo
UFVOfeA3d+1K5RqdvqrhhaPHGm/QAhPTZ2SgUl8fEPqr7eZU4HhAcyPaLCMKFsV/
lbfY2C4Kq54o2m1uHFTertx5niE4Yx6ALqBB66rR4It7lnr7kBhAnIsCYj7ENGrU
6C1PzjpvrqjWqnYjbmzUov7b4S308YGqWKrfkJxTrviVaITI1XznAHlTBDLkuU1l
eSyZ0YP3Gfd82j9fhdugH2nLxLCttcmGNOaA87VlXL/oZaYI5P5xqjyjkCgYEA6x
Fy30dcPM+VKDhnp2QBbHrJC0zr88Hn4qYxIfyoPtjrvTb+vSI703Cd0rc00alGK6
YZZKDV1NYKw8/r2uHRXgbpptYdRKz+GrsgNdORycKXkmWXw+ChIHsl/UghHG60jy
KNPSkOJgPXIseJDn2ZcqlFLkl6sCgYEA6Pr+L1otzG//ROJdBV58yHO0V2KF9VKM
amt5RUWkqRqfOiE0i5T3nmBPPflNB4bdj8qe+DwoPly2SJMihT7KQqvg54V/ZVb+
jXY0fNLEDhJ0PdboB2I/r6SuWBNJyXF8AAewzcDF3PlBr/JGOHF4XGmOLVmiNL/N
+6RPLW5i6QUCgYA0sRq2M9QsGCy61xkTDwf2xbbSQ/6bTCPpZbHIKn98wDzXkOwr
XMqneD7teYiBUi98jhMiMOMmaygEDsU8TpW2vSa0+CaL6zR17Itr/015Wj6SrkDw
G/TvckxGt5MzB7hYRYZYI0bdCOMPpkAxipluRG/SFh+FvuVZTpsKuDHpFQKBgFrA
ThXzmNlx069BYNj2NGL0AI8ueQlIca84tAlLMAMrPQw5gfgeVSBdzWuRV9SX1+1L
EZuT037XuLaIcMHbsT6N/0u69mwFqn6y6gSQUwbhAoGAYa6eN7KUA0Xri5zrABst
S2PP2rrmrnFLohNJ5CAWR7vvk6aKkMd+hEAJTk6s+vc7B3NHR/icIu1CnXWxKhB7
AI0SIL0losHuBfCst8CTpqZ//Jjvi0IbOm+SNI/aqYcrrHrzdkSWYLC6Ll16Ckrg
xeBXhXuiP9wEJSDmg7wb1t0=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDFDCCAfwCCQC/UlBaK8CNnDANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJG
UjEOMAwGA1UEBwwFUGFyaXMxEjAQBgNVBAoMCVB1cmUtRlRQZDEZMBcGA1UEAwwQ
ZnRwLnB1cmVmdHBkLm9yZzAeFw0xNTAyMjExNDE1MTlaFw0xNTAMzjMxNDE1MTla
MEwxCzAJBgNVBAYTAkZSMQ4wDAYDVQQHDAVQYXJpczESMBAGA1UECgwJUHVyZS1G
VFBkMRkwFwYDVQQDDBBmdHAucHVyZWZ0cGQub3JnMIIBIjANBgkqhkiG9w0BAQEF
FEBSxZusX9u3FDhIN7mACaOcd0n2JSrEpujys4cwyCnCdfPelxtgBznSG8vVaC/J
IBCgKCAQEA1fAP33saH/bbZ7qqcAsVzdwtNfb+NAchqpX5oPEmqGSIb3DQEB055I
7creRS8NyAqMQW0LUOuWmEgL+SrYhkG7nAWQvhRm0d6yKJLx524bHS7yL1spvlvl
UelNj/FZ2x1nd4kntMTHk8BiYD/UwvK/nEuspapX4UQcutXLd1iNY1UdluQTl3xP
C8YBriWLdF2PnU65bqnp/ZYvMOY7vt7ZQPT7CJeHJI5mAWZtROy6qEmA2yIf/A+J
mcI7jJJpq5dc6qAAOCAQ8AMIPvoOF3ksmdGD9xn3fNozcUNfeZVwIDAQABMA0GCS
BqUAA4IBAQDT768mdG071/m6V1N4qeM5PVrpa5eB5mulE7JPBOPJADmw6YwYaSWJ
90wE+YuU6DiDbRxHtWiCMwHoCH42fxU7BDVNrc3L614v1kUQGTLlHPyAUs6KZvz0
Rko2y6Dzj+kVaJiWFKi+zWwWnf9P4wLYafv/n5EHKmEt1K83UE0h5r64fhwX9vH7
6NHCMbmSDXgHjnv3rZKOOKN85ZYr2vKX+rTvASh2nxp2bbNM1XpfyuH2vbWL3J+E
mFCaj3/lD880kHnTaTwo3Kg0SQy/Axe2LhX3zj+kSD2A9k6wtGcKttjrt4kNGaFc
BlhkOrwnAhqbm5N3VQCB63CRpuuCVmYz
-----END CERTIFICATE-----

If you need client certificate verification, prefix the list of
ciphers (-J/--tlsciphersuite) with -C:

pure-ftpd --tlsciphersuite=-C:HIGH -Y2 ...

In order to verify client certificates, the clients public keys must
be included in the pure-ftpd.pem file.

If you changed the installation prefix when pure-ftpd was compiled, the
certificate must be in the <prefix sysconf dir>/ssl/private/pure-ftpd.pem file.


   ------------------------ ACCEPTING TLS SESSIONS ------------------------

Once the certificate has been installed, you need to start a TLS-enabled
pure-ftpd daemon with the -Y (or --tls=) switch. Example :

/usr/local/sbin/pure-ftpd --tls=1 &

- With "--tls=0", support for TLS is disabled. This is the default.

- With "--tls=1", clients can connect either the traditional way or through an
TLS layer. This is probably the setting you need if you want to enable
TLS without having too many angry customers.

- With "--tls=2", cleartext sessions are refused and only TLS compatible
clients are accepted.

- With "--tls=3", cleartext sessions are refused and only TLS compatible
clients are accepted. Clear data connections are also refused, so private
data connections are enforced. This is an extreme setting.

When TLS has been successfully negociated for a connection, you'll see
something similar to this in log files :

<<
TLS: Enabled TLSv1.2 with AES256-SHA, 256 secret bits cipher
>>

      ------------------------ COMPATIBLE CLIENTS ------------------------

Pure-FTPd was reported to be fully compatible with the following clients with
the TLS encryption layer turned on :


* Transmit (OSX)
  URL: http://panic.com/transmit/

  TLS works out of the box, both in implicit and explicit modes.
  CCC support has some issues, but Transmit quickly recovers and keeps
working.


* CoreFTP Lite (Windows)
  URL: http://www.coreftp.com/

  TLS perfectly works when "AUTH TLS" is enabled. CoreFTP Lite has some
neat features like IPv6 support, remote file searching, .htaccess editing,
queueing, bandwidth control, etc.

  CoreFTP Lite is free both for personal and business use.


* SmartFTP (Windows)
  URL: http://www.smartftp.com/

  An excellent client with IPv6 support, port range limitation and other
useful features (!= bloat) . And it's free for personal, educational and non-
commercial use. And it detects Pure-FTPd :)

  TLS perfectly works when the "FTP over SSL (explicit)" protocol is
selected and when the data connection mode (Tools->Settings->SSL) is set to
"clear data connection" while the AUTH mode (also in Tools->Settings->SSL) is
set to "TLS".


* IglooFTP Pro (Windows, Linux)
  URL: http://www.iglooftp.com/

  TLS is automatically detected and works when Preferences->Security->
Encrypt is set to "Commands [if possible], Transfers [if possible]".


* FlashFXP (Windows)
  URL: http://www.flashfxp.com/

  TLS works. In the "Quick connect" dialog box, pick the "SSL"
tab and :
 - enable Auth TLS
 - disable Secure File Listing
 - disable Secure File Transfers


* SDI FTP (Windows)
  URL: http://www.sdisw.com/

  TLS works. In the "Connection" tab, just pick "SSL Support: TLSv1".


* LFTP (Unix, MacOS X)
  URL: http://lftp.yar.ru/

  TLS is automatically detected and works out of the box.


* RBrowser (MacOS X)
  URL: http://www.rbrowser.com/

  A cute graphical client for MacOS that was reported to work by Jason Rust
and Robert Vasvari.


* Glub Tech Secure FTP Client (at least Unix, MacOS X and Windows)
  URL: http://secureftp.glub.com/

  TLS is automatically detected and works out of the box.


* Cyberduck (OSX)
  http://cyberduck.ch/

  TLS works out of the box.


* WinSCP (Windows)
  WinSCP should be configured with "File protocol" set to "FTP" with
"TLS Explicit encryption".