Configuring FTPS in ProFTPd

I will give an example of configuring FTPS in ProFTP, and prohibit simple connections without encryption.

Let’s say ProFTPd is installed, for example, as I described in the article:
Installing and Configuring ProFTPd in Ubuntu

The certificate can be obtained free of charge from Let’s Encrypt, for example, as I described in the article:
Installing Certbot in Ubuntu

Or we can generate it manually, for example (the proftpd.key file must be readable only by the root user):

sudo openssl req -x509 -newkey rsa:1024 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -nodes -days 3650

Then open the standard configuration file:

sudo nano /etc/proftpd/tls.conf

In this file, we will specify the parameters:

<IfModule mod_tls.c>
TLSEngine       on
TLSLog          /var/log/proftpd/tls.log
TLSProtocol     SSLv23
TLSRequired     yes
TLSRSACertificateFile    /etc/letsencrypt/live/
TLSRSACertificateKeyFile /etc/letsencrypt/live/
TLSCACertificateFile     /etc/letsencrypt/live/

If the certificate was generated manually, then we indicate it like this:

TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key

Let’s open the main ProFTPd configuration file:

sudo nano /etc/proftpd/proftpd.conf

Let’s uncomment or specify the line that includes the tls.conf file:

Include /etc/proftpd/tls.conf

Let’s check the correctness of the configuration and restart ProFTPd to apply the changes:

sudo proftpd --configtest
sudo service proftpd restart

Now you can connect to the FTP server using an encrypted connection.
TLSRequired yes – Denies connections without encryption.

See also my article:
Client did not reuse SSL session from control channel, rejecting data connection

Leave a comment

Leave a Reply