ProFtpd mod_sftp and letsencrypt certificates

danjde · August 8, 2017, 5:02pm

Hi friends,
I am activating proftpd service with encrypted connection.

For to do so, I’ve created the file /etc/proftpd/conf.d/sftp.conf:

  <IfModule mod_dso.c>
    # If mod_tls was built as a shared/DSO module, load it
    LoadModule mod_tls.c
  </IfModule>

  <IfModule mod_tls.c>
    TLSEngine on
        Port 2222
        TLSLog /var/log/proftpd/sftp.log

    # Support both SSLv3 and TLSv1
    TLSProtocol SSLv3 TLSv1

        # Configure both the RSA and DSA host keys, using the same host key
        # files that OpenSSH uses.
	TLSEngine                  on
	TLSRSACertificateFile      /etc/letsencrypt/live/server.sio4.org/cert.pem
	TLSRSACertificateKeyFile   /etc/letsencrypt/live/server.sio4.org/privkey.pem
	TLSCACertificateFile       /etc/letsencrypt/live/server.sio4.org/chain.pem

    # Authenticate clients that want to use FTP over TLS?
    TLSVerifyClient off


    # Allow SSL/TLS renegotiations when the client requests them, but
    # do not force the renegotations.  Some clients do not support
    # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
    # clients will close the data connection, or there will be a timeout
    # on an idle data connection.
    TLSRenegotiate none


        # Enable compression
        SFTPCompression delayed

</IfModule>

Following these guidelines: http://www.proftpd.org/docs/howto/TLS.html

Now if I try to connect to server.sio4.org with username and password, from (for example) ftp client Filezilla it asks me to recognize two certificate:

Where I’m wrong?

Many thanks!

pfg · August 8, 2017, 6:12pm

This ticket makes me think that FileZilla simply doesn’t have the concept of trusted root certificates. In other words, manually comparing the certificate fingerprint with one you have received out of band is the canonical way of using TLS in FileZilla.

(If you can make SFTP work for your use-case, I’d personally go with that.)

motoko · August 8, 2017, 6:21pm

Filezilla client is kinda strange on certificates because it does not validate them itself. It relies on the user to validate them manually. Given the history of the client shipping with adware/malware and the fact that it doesn’t bother validating certificates, I’d advise against using that software.

I tested using a different client (Transmit on macOS) and had no problems or warnings connecting. I also tried connecting using Cyberduck and WinSCP (both on Windows 10) and additionally had no issues with the certs. Obviously, I couldn’t login because I don’t have an account, but the encryption comes before that step.

danjde · August 8, 2017, 6:56pm

..GASP!

interesting, now this point my question changes:
could you suggest me a valid ftp client for Linux desktop?

Thanks guys!

motoko · August 8, 2017, 7:05pm

I'm partial to LFTP, but that's command-line only. It's very powerful, though.

For GUI, gFTP works great despite its age. Both Konqueror (KDE) and Nautilus (GNOME) should work fine as well. Alternately, FireFTP, a plugin for Firefox that embeds a full GUI FTP client, should be quite fine.

system · September 7, 2017, 7:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.