Enable TLS/SSL encryption (FTPS) on Ubuntu
Here goes: Short, sweet, and to the point.
- Login as root (otherwise you have to use “sudo” with all commands)
- Paste these commands in a terminal :
- apt-get install build-essential
- apt-get install libssl-dev
- mkdir /etc/ftpcert
- cd /etc/ftpcert
- openssl genrsa -des3 -out server.key 1024
- openssl req -new -key server.key -out server.csr
- openssl genrsa -des3 -out ca.key 1024
- openssl req -new -x509 -days 365 -key ca.key -out ca.crt
- wget http://frodubuntu.free.fr/ubuntu/sign.sh
- chmod +x sign.sh
- ./sign.sh server.csr
- Then add this section to yout proftpd.conf file :<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/ftpd/tls.log
TLSProtocol TLSv1# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off
# Server’s certificate
TLSRSACertificateFile /etc/ftpcert/server.crt
TLSRSACertificateKeyFile /etc/ftpcert/server.key
# CA the server trusts
TLSCACertificateFile /etc/ftpcert/ca.crt
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
</IfModule>
Note – Use TLSRequired ON to force the use of TLS. OFF means that the use of TLS is optional.
Optional step:
- You will notice that you will be asked for the password you set for the server.key file each time you start/stop/restart the server, it is because the RSA private key is encrypted in the server.key file.
- The solution is to remove the encryption of the RSA private key but it makes the key readable in the server.key file which is obviously less secure, anyway if you do that make sure that the server.key is readable only by root.
- Once you know that it’s less secure here are the command lines to remove the encryption of the RSA private key :
- cd /etc/ftpcert
- cp server.key server.key.org
- openssl rsa -in server.key.org -out server.key
Here are some links to read in case of problems or just to get more informations :
http://www.modssl.org/docs/2.7/ssl_faq.html#cert-ownca
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html