proftpd and ssl (ftps)

ProFTPD and SSL/TLS (FTPS)

Transport Layer Security (TLS) and its predecessor Secure Socket Layer (SSL) are cryptographic protocols for providing security over the Internet. Mostly is used to secure http (https) and ftp (FTPS = FTP over SSL) protocols.
Keys (private and public) are main players of public key algorithms and PKI. With OpenSSL, the private key contains public key information as well, so public key doesn't need to be generated separately.

Here is example how to use it with ProFTPD (on Solaris).

First generate a private RSA key for FTP server (with key size/lenght 2048 bits)

{host}/>  openssl genrsa -out my-ftp.privatekey 2048 
Generating RSA private key, 2048 bit long modulus
..............................................................+++
.......................................................+++
e is 65537 (0x10001)

{host}/> file my-ftp.privatekey
my-ftp.privatekey:      ascii text

{host}/> cat !$
cat my-ftp.privatekey
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEArDW1k2O0OOZfrt0KHSof0Mk/qmwtl9BlbNwHGoPmugsIOSGo
... some lines ...
I1bk1L+oYzxU5QNO2jlOtcmG2eD9FQP8WNYHBUKDMK0Dc78Sc58p
-----END RSA PRIVATE KEY-----

Then generate new Certificate Signing Request (CSR), signed with privaye key.

{host}/>  openssl req -new -key my-ftp.privatekey -out  my-ftp.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:MyCompanyHere
Organizational Unit Name (eg, section) []:UNIXTEAM
Common Name (eg, YOUR name) []:ftp.mycompanyhere.com ========>  must match the FQDN of the server! 
Email Address []:xxx@mycompanyhere.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

{host}/> cat my-ftp.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC8TCCAdkCAQAwgasxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
... some lines ...
16cND6b9cKvNfc/BGYXCBoLbPAj+Rwv/23AGlTimXMf8/8Agjw==
-----END CERTIFICATE REQUEST-----

Also verify the new CSR.

{host}/>  openssl req -text -noout -verify -in my-ftp.csr 
verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=California, L=San Francisco, O=MyCompanyHere, OU=UNIXTEAM, CN=ftp.mycompanyhere.com/emailAddress=xxx@mycompanyhere.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ac:35:b5:93:63:b4:38:e6:5f:ae:dd:0a:1d:2a:
                    1f:d0:c9:3f:aa:6c:2d:97:d0:65:6c:dc:07:1a:83:
                    e6:ba:0b:08:39:21:a8:bd:c2:e6:b9:06:07:4c:53:
                    33:5c:bf:6a:7d:76:06:4a:2d:0f:ba:28:fe:28:c1:
                    25:77:79:5d:47:1b:bd:48:c9:d4:04:43:5c:d0:4a:
                    42:d4:74:e8:71:80:f3:73:7d:82:14:da:14:e1:1a:
                    ad:e3:fd:c5:c2:c0:e8:4b:0f:a1:5f:84:2f:28:43:
                    1c:f9:89:38:e6:20:b1:bb:c4:b9:4a:47:8a:c1:88:
                    43:41:12:a9:15:f7:70:6c:71:e7:d0:ec:d8:51:87:
                    20:b7:68:64:3a:70:b3:fb:9a:8d:89:66:0d:e3:a0:
                    39:5f:20:46:f1:58:7e:89:26:1f:b4:c0:45:69:0a:
                    67:63:e7:64:ff:c1:1c:f8:dc:46:b3:ad:60:1f:b5:
                    c5:c2:26:aa:5d:c9:cc:83:47:c6:1b:1a:ef:fb:d5:
                    a9:a6:24:ea:36:da:7e:1f:c1:30:c2:89:8b:fc:eb:
                    ae:91:cf:40:75:a9:c0:fa:90:ef:cd:e4:47:24:16:
                    3f:13:8c:f3:e6:25:09:28:02:86:3e:95:82:18:1c:
                    60:56:6b:22:22:10:f5:99:a5:17:1e:05:1f:00:03:
                    40:7f
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: md5WithRSAEncryption
        9d:7e:3a:19:a5:65:28:ab:eb:fa:80:19:73:d8:4e:af:67:79:
        26:7d:9b:44:4f:44:e3:5a:2b:a6:2b:92:69:24:39:a1:74:8e:
        64:c1:a6:26:82:e2:19:aa:d9:2f:c9:68:da:04:df:fe:88:5c:
        4e:2c:c6:f9:83:cc:56:cf:31:b1:78:79:b4:81:70:3f:08:71:
        ad:36:33:d2:d2:df:90:1e:cc:d3:5d:db:da:7d:7b:fb:de:a6:
        71:79:fc:c4:23:37:ab:fc:c6:65:99:3e:d2:ac:76:ea:be:5e:
        13:9e:3a:66:c8:31:58:f2:31:45:08:2a:34:a2:ab:dc:17:96:
        61:d3:90:ab:89:d0:7d:0c:f8:05:38:07:08:7e:9b:dc:9f:ce:
        9c:a2:0e:a3:69:31:f3:2f:9a:c9:bb:4e:4b:6b:04:e3:73:6f:
        40:87:e2:5f:58:1d:ed:1d:44:c4:b0:39:3c:2a:97:0f:4c:e0:
        a9:78:fe:5b:cd:7d:15:d2:cc:11:cd:b4:aa:a4:c1:5b:b4:51:
        f0:b7:19:67:1f:29:5d:e3:03:b7:d8:7a:53:91:36:3e:65:aa:
        cf:17:a0:d7:a7:0d:0f:a6:fd:70:ab:cd:7d:cf:c1:19:85:c2:
        06:82:db:3c:08:fe:47:0b:ff:db:70:06:95:38:a6:5c:c7:fc:
        ff:c0:20:8f

Now send only CSR (and probably payment) to some Certification Authority (CA) which is an entity that issues digital certificates.
The CA adds some verification info and signs your certificate with their private key and returns it to you.

You certificate is the text file (say my-ftp.crt) with lines like:

-----BEGIN CERTIFICATE-----
MIIGnzCCBYegAwIBAgIQdbAkt9gKbn49Ttt62rr/sjANBgkqhkiG9w0BAQUFADCB
vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
... some lines ...
Z6JNJ2dEHahl3SEIlX94QprxefE76v442yyrS5jxZAPFQdtOY+NkOil3FL9VL/S/
HKvDIYqhYoP9xHM6jPcE5MhWPg==
-----END CERTIFICATE-----

Finally TLS/SSL support has to be added to ProFTPD configuration file (proftpd.conf), here is example:

<IfModule mod_tls.c>
    TLSEngine on
    TLSLog /var/log/proftpd/tls.log
    
    # what protocol to support
    TLSProtocol SSLv23
    
    # Are clients required to use FTP over TLS when talking to this server?
    TLSRequired off

    # server's certificate    
    TLSRSACertificateFile    /opt/csw/etc/my-ftp.crt
    TLSRSACertificateKeyFile /opt/csw/etc/my-ftp.privatekey

    # CA the server trusts
    # The TLSCertificateChainFile directive sets the optional all-in-one file 
    # where you can assemble the certificates of CA which form the certificate chain 
    # of the server certificate. This starts with the issuing CA certificate of 
    # the server certificate and can range up to the root CA certificate
    TLSCertificateChainFile   /opt/csw/etc/chain.crt

    # Authenticate clients that want to use FTP over TLS?
    TLSVerifyClient off

    # Allow SSL/TLS renegotiations when the client requests them, but
    # do not force the renegotations.  Some clients do not support
    # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
    # clients will close the data connection, or there will be a timeout
    # on an idle data connection.
    TLSRenegotiate required off
</IfModule>

Back to the main page