FTP over TLS / SSL for a specific domain/user ?

[thibotus01]

Hi,

I use FTP over TLS, I added these lines in my : /etc/proftpd/ispcp/domain-toto.com.conf

Code:

#
# SSL via TLS
#
<IfModule mod_tls.c>
   TLSEngine                   on                                      # on for use of TLS
   TLSLog                      /var/log/proftpd/ftp_ssl.log            # where to log to
   TLSProtocol                 SSLv23                                  # SSLv23 or TLSv1
   TLSOptions                  NoCertRequest                           # either to request the certificate or not
   TLSRSACertificateFile       /etc/ssl/certs/myserver.com.crt # SSL certfile
   TLSRSACertificateKeyFile    /etc/ssl/certs/myserver.com.key # SSL keyfile
   TLSVerifyClient             off                                     # client verification
   TLSRequired on
</IfModule>

But It seems to be activated for all the domains I have. I just want to use FTP over TLS for a specific domain (or specific login). How could be possible ?

[BeNe]

As you said - only possible for the whole Proftpd Server and all your Domains.
I created a Key like yourhoster.tld and everybody can use TLS or not.

Greez BeNe

[thibotus01]

Ok, so it's due to the TLS / SSL or proftpd engine that we can't force using the SSL for a specific login/debian?

[kilburn]

SSL negotiation happens before any login-related thing (it would be really silly to enable SSL after having sent the password as plain text), so at this stage the server is unable to know which will be the username/domain. As a result, it's impossible to set TLS only for one login/whatever.

[thibotus01]

Yeah you right

[thibotus01]

Hum, i'm excpecting a weird problem.
I try to download a big file (7GB) with FTP over TLS/SSL, and after 1.16GB transfered I got an error, and the transfer is canceled. I tried with different files, it's always after around 1GB.

But via FTP, no ssl connection, it works fine.

My client is "transmit" on MAC OS X, and the error message is "socket read error", the full log:

Cmd: RETR lhoal-haabis.iso
150: Opening BINARY mode data connection for lhoal-haabis.iso (7043174707 bytes)

BEFORE
**..... downloading.... **
AFTER

Remote read failed: Unknown error: 0.
426: Transfer aborted. Operation not permitted

---

Solved


Question: My FTPS client sometimes times out after uploading/downloading more than 1 GB of data. When I turn off SSL/TLS, the upload/download works. Why?
Answer: The culprit behind this is most likely SSL/TLS renegotiations. By default, mod_tls uses SSL/TLS renegotiations to periodically update the session key which protects the data being transferred; see the TLSRenegotiate documentation for more details, particularly the time-based and bytes-based limits at which renegotations are forced.

Some FTPS clients, however, do not support server-initiated SSL/TLS renegotations. When the server does try to force a renegotiation, the client fails that new handshake, cannot upload/download any more data over the protected channel, and the transfer will eventually time out. Alternatively, the transfer could terminate strangely in the middle of the upload/download. Note, however, that not all transfer issues will be caused by SSL/TLS renegotiations. Bugs in firewalls and routers can also cause these symptoms.

Should you suspect that you are having issues with your FTPS client because of SSL/TLS renegotiations, you can configure mod_tls to accept renegotiations if the client requests one, but not to otherwise force them:

TLSRenegotiate required off


http://proftpd.online-mirror.de/docs/howto/TLS.html