Home » Blogs » sandip's blog

lftp with TLS/SSL

Tue, 07/24/2007 - 22:52 — sandip

lftp ftp client support tls/ssl so why not use a secure connection for ftp.

$ lftp
lftp :~> set ftp:ssl-force true
lftp :~> connect ftp.domain.tld
lftp ftp.domain.tld:~> login <username>

Insist on your host to serve up ftp with tls/ssl support so all data is secured.

If using proftpd server, tls/ssl can be configured via "/etc/proftpd.conf":

<IfModule mod_tls.c>
    TLSEngine on
    TLSLog /var/log/proftpd/tls.log
    TLSProtocol TLSv1

    # Are clients required to use FTP over TLS when talking to this server?
    TLSRequired off

    # Server's certificate
    TLSRSACertificateFile /etc/pki/tls/proftpd/server.cert.pem
    TLSRSACertificateKeyFile /etc/pki/tls/proftpd/server.key.pem

    # CA the server trusts
    #TLSCACertificateFile /etc/pki/tls/proftpd/root.cert.pem

    # Authenticate clients that want to use FTP over TLS?
    TLSVerifyClient off

    # Allow SSL/TLS renegotiations when the client requests them, but
    # do not force the renegotations.  Some clients do not support
    # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
    # clients will close the data connection, or there will be a timeout
    # on an idle data connection.
    TLSRenegotiate required off

</IfModule>

The certificate can be generated to be used on the ftp server via:

# cd /etc/pki/tls/proftpd/
# openssl req -new -x509 -days 3650 -nodes -out server.cert.pem -keyout server.key.pem

Reference:

Bookmark/Search this post with
  • del.icio.us
  • Digg
  • Facebook
  • identi.ca
  • LinkedIn
  • SlashDot
  • StumbleUpon
  • Technorati
  • Twitter

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Tue, 06/02/2009 - 11:58 — Anonymous certificate verification

If using self-signed certificate. Connect using no verification:

lftp :~> set ssl:verify-certificate no

Fri, 06/27/2008 - 23:52 — sandip epel fedora package with proftpd tls/ssl support

The proftpd package provided by EPEL comes with tls/ssl support.

Easy package install via yum:

# rpm -ivh http://download.fedora.redhat.com/pub/epel/4/i386/epel-release-4-9.noarch.rpm
# yum install proftpd

To find out if tls is supported:

$ proftpd -V | grep tls

Example of virtual host proftpd config:

<VirtualHost xx.xx.xx.xx>
  DefaultRoot   &nbsp;    &nbsp;    ~
  AllowOverwrite  &nbsp;    &nbsp;  on
  Umask    &nbsp;    &nbsp;    &nbsp;    022
  PassivePorts            50000 50020
  <IfModule mod_tls.c>
    TLSEngine   &nbsp;    &nbsp;    &nbsp;    &nbsp;    on
    TLSRSACertificateFile &nbsp;    &nbsp;    /usr/share/ssl/proftpd/server.cert.pem
    TLSRSACertificateKeyFile        /usr/share/ssl/proftpd/server.key.pem
    TLSVerifyClient  &nbsp;    &nbsp;    &nbsp;    off
    TLSRenegotiate  &nbsp;    &nbsp;    &nbsp;     required off
    TLSLog                          /var/log/proftpd/tls.log
  </IfModule>
</VirtualHost>

Note: If running on virtual servers with APF, and ipt_recent kernel module is not loaded, specify the passive ports and make sure incoming connections to those ports are open.

On an OpenVZ/Virtuozzo container check in the file /proc/net/ip_tables_matches, if "recent, state and multiport" is listed then it should be fine.

Comment