I have found out that there is newest version of ProFTPD 1.3.8, 1.3.7f released. Is there a way to upgrade it using Hestia Control Panel or this ProFTPD 1.3.8 version is not supported by Hestia? Thanks.
ALL -TLSv1 -TLSv1.1
Should work fine
There seems to be a bug with the documentation even upgrading will not help
1.3.8 is probably a release from the the developers you need to change the repo and so on…
We use the version from Ubuntu it self…
I have changed this TLSProtocol TLSv1.2 TLSv1.3 line to TLSProtocol -TLSv1 -TLSv1.1 and restarted the server. But it still displays this error:
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
The /etc/proftpd/tls.conf:
#
# Proftpd sample configuration for FTPS connections.
#
# Note that FTPS impose some limitations in NAT traversing.
# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
# for more information.
#
<IfModule mod_dso.c>
# If mod_tls was built as a shared/DSO module, load it
LoadModule mod_tls.c
</IfModule>
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
# this is an example of protocols, proftp works witl all, but use only the most secure ones like TLSv1.1 and TLSv1.2
TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256
TLSProtocol ALL -TLSv1 -TLSv1.1
TLSServerCipherPreference on
#
# Server SSL certificate. You can generate a self-signed certificate using
# a command like:
#
# openssl req -x509 -newkey rsa:1024 \
# -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
# -nodes -days 365
#
# The proftpd.key file must be readable by root only. The other file can be
# readable by anyone.
#
# chmod 0600 /etc/ssl/private/proftpd.key
# chmod 0640 /etc/ssl/private/proftpd.key
#
TLSRSACertificateFile /usr/local/hestia/ssl/certificate.crt
TLSRSACertificateKeyFile /usr/local/hestia/ssl/certificate.key
#
# CA the server trusts...
#TLSCACertificateFile /etc/ssl/certs/CA.pem
# ...or avoid CA cert and be verbose
#TLSOptions NoCertRequest EnableDiags
# ... or the same with relaxed session use for some clients (e.g. FireFtp)
#TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired
#
#
# Per default drop connection if client tries to start a renegotiate
# This is a fix for CVE-2009-3555 but could break some clients.
#
#TLSOptions AllowClientRenegotiations
#
TLSOptions NoSessionReuseRequired AllowClientRenegotiations
# Authenticate clients that want to use FTP over TLS?
#
#TLSVerifyClient off
#
# Are clients required to use FTP over TLS when talking to this server?
#
TLSRequired off
#
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
#
TLSRenegotiate required off
</IfModule>
Any ideas how to solve this issue? Thank you.
From /var/log/proftpd/tls.log:
2023-07-16 20:04:54,087 mod_tls/2.7[10963]: TLS/TLS-C requested, starting TLS handshake
2023-07-16 20:04:54,191 mod_tls/2.7[10963]: TLSv1.3 connection accepted, using cipher TLS_AES_128_GCM_SHA256 (128 bits)
2023-07-16 20:04:54,426 mod_tls/2.7[10963]: Protection set to Private
2023-07-16 20:05:14,700 mod_tls/2.7[11216]: TLS/TLS-C requested, starting TLS handshake
2023-07-16 20:05:14,804 mod_tls/2.7[11216]: TLSv1.3 connection accepted, using cipher TLS_AES_128_GCM_SHA256 (128 bits)
2023-07-16 20:05:15,043 mod_tls/2.7[11216]: Protection set to Private
2023-07-16 20:06:26,071 mod_tls/2.7[11430]: TLS/TLS-C requested, starting TLS handshake
2023-07-16 20:06:26,176 mod_tls/2.7[11430]: TLSv1.3 connection accepted, using cipher TLS_AES_128_GCM_SHA256 (128 bits)
2023-07-16 20:06:26,402 mod_tls/2.7[11430]: Protection set to Private
2023-07-16 20:06:46,657 mod_tls/2.7[11431]: TLS/TLS-C requested, starting TLS handshake
2023-07-16 20:06:46,757 mod_tls/2.7[11431]: TLSv1.3 connection accepted, using cipher TLS_AES_128_GCM_SHA256 (128 bits)
2023-07-16 20:06:46,981 mod_tls/2.7[11431]: Protection set to Private
2023-07-16 20:07:38,385 mod_tls/2.7[11449]: TLS/TLS-C requested, starting TLS handshake
2023-07-16 20:07:38,481 mod_tls/2.7[11449]: TLSv1.3 connection accepted, using cipher TLS_AES_128_GCM_SHA256 (128 bits)
2023-07-16 20:07:38,705 mod_tls/2.7[11449]: Protection set to Private
2023-07-16 20:07:58,957 mod_tls/2.7[11450]: TLS/TLS-C requested, starting TLS handshake
2023-07-16 20:07:59,055 mod_tls/2.7[11450]: TLSv1.3 connection accepted, using cipher TLS_AES_128_GCM_SHA256 (128 bits)
2023-07-16 20:07:59,279 mod_tls/2.7[11450]: Protection set to Private
It accepts TLSv1.3 but still leads to this error:
|Error:|Connection timed out after 20 seconds of inactivity|
|Error:|Failed to retrieve directory listing|
Should I try to update to 1.3.8? Thanks.
I have tried to update ProFTPD but it reports this version is the latest one.
sudo apt-get upgrade proftpd
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'proftpd-basic' instead of 'proftpd'
proftpd-basic is already the newest version (1.3.6c-2).
Calculating upgrade... Done
Any ideas how to fix this issue? Thank you.
Try:
TLSProtocol TLSv1.2
I think, I have found an issue. I will reply soon.
Thank you all!
See:
I have changed this TLSProtocol TLSv1.2 TLSv1.3 on 17th line to TLSProtocol ALL -TLSv1.3 . Also, I tested your suggestion which works as well: TLSProtocol ALL -TLSv1 -TLSv1.1. This code fixed the following issue:
proftpd[147843]: fatal: TLSProtocol: unknown protocol: ‘TLSv1.3’ on line 17 of ‘/etc/proftpd/tls.conf’
But there was another issue. For some reason I found out that passive ports are set: PassivePorts 45000 65000 (proftpd.conf) which are wrong. I set them as:
PassivePorts 12000 12100 and now all works well. This issue is resolved. Thank you.
1 Like
scp and sftp are secure where ftp is insecure.
But besides that, active ftp doesn’t give you the hassle of opening extra ports in your firewall that are needed for passive ftp.
True, although FTPS is fine, if properly configured. With TLS directives in the config, FTPS should be available, if not mandatory. Any FTP sever in use today really needs to be configured to require TLS and also needs to encrypt the data as well as the control channel.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.