lftp with TLS/SSL

lftp ftp client support tls/ssl so why not use a secure connection for ftp.

$ lftp
lftp :~> set ftp:ssl-force true
lftp :~> connect ftp.domain.tld
lftp ftp.domain.tld:~> login <username>

Insist on your host to serve up ftp with tls/ssl support so all data is secured.

If using proftpd server, tls/ssl can be configured via "/etc/proftpd.conf":

<IfModule mod_tls.c>
    TLSEngine on
    TLSLog /var/log/proftpd/tls.log
    TLSProtocol TLSv1

    # Are clients required to use FTP over TLS when talking to this server?
    TLSRequired off

    # Server's certificate
    TLSRSACertificateFile /etc/pki/tls/proftpd/server.cert.pem
    TLSRSACertificateKeyFile /etc/pki/tls/proftpd/server.key.pem

    # CA the server trusts
    #TLSCACertificateFile /etc/pki/tls/proftpd/root.cert.pem

    # Authenticate clients that want to use FTP over TLS?
    TLSVerifyClient off

    # Allow SSL/TLS renegotiations when the client requests them, but
    # do not force the renegotations.  Some clients do not support
    # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
    # clients will close the data connection, or there will be a timeout
    # on an idle data connection.
    TLSRenegotiate required off


The certificate can be generated to be used on the ftp server via:

# cd /etc/pki/tls/proftpd/
# openssl req -new -x509 -days 3650 -nodes -out server.cert.pem -keyout server.key.pem


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

certificate verification

If using self-signed certificate. Connect using no verification:

lftp :~> set ssl:verify-certificate no

epel fedora package with proftpd tls/ssl support

The proftpd package provided by EPEL comes with tls/ssl support.

Easy package install via yum:

# rpm -ivh http://download.fedora.redhat.com/pub/epel/4/i386/epel-release-4-9.noarch.rpm
# yum install proftpd

To find out if tls is supported:

$ proftpd -V | grep tls

Example of virtual host proftpd config:

<VirtualHost xx.xx.xx.xx>
  DefaultRoot             ~
  AllowOverwrite          on
  Umask                   022
  PassivePorts            50000 50020
  <IfModule mod_tls.c>
    TLSEngine                       on
    TLSRSACertificateFile           /usr/share/ssl/proftpd/server.cert.pem
    TLSRSACertificateKeyFile        /usr/share/ssl/proftpd/server.key.pem
    TLSVerifyClient                 off
    TLSRenegotiate                  required off
    TLSLog                          /var/log/proftpd/tls.log

Note: If running on virtual servers with APF, and ipt_recent kernel module is not loaded, specify the passive ports and make sure incoming connections to those ports are open.

On an OpenVZ/Virtuozzo container check in the file /proc/net/ip_tables_matches, if "recent, state and multiport" is listed then it should be fine.