[BlueOnyx:11325] Re: 5108R FTPS

Michael Stauber mstauber at blueonyx.it
Thu Sep 13 23:45:50 -05 2012 

Hi Chris,

> Does anyone have tips for getting FTPS to work on 5108R?
> 
> We have a new installation for a customer who demands FTPS or SFTP.  I 
> understand that FTPS should be supported out of the box.  But we're 
> unable to get a connection using FileZilla FTP client.  FileZilla 
> defaults to port 990 for FTPS.  If we set it to 21, it just hangs.

Yeah, FileZilla is a bit "special". I'm just trying to avoid to say
"retarded".

I just downloaded a recent copy of FileZilla and tried it. SFTP works
out of the box (if the account has shell access enabled) - so no
surprise there.

And I get the same behavior you got when I try FTPS. Regardless if I use
"explicit" or "implicit" TLS.

I got it working with some modifications, but it's a bit whacky:

1.) Edit /etc/xinetd.d/proftpd and change ...

        disable                 = no

... to ...

        disable                 = yes

2.) Restart xinetd: service xinetd restart

3.) Edit /etc/proftpd.conf and change ...

#ServerType                      standalone
ServerType                     inetd

... to this:

ServerType                      standalone
#ServerType                     inetd

4.) Also in /etc/proftpd.conf find this block:

<IfModule mod_tls.c>
   TLSEngine on
   TLSLog /var/log/proftpd/tls.log
   TLSRequired off
   TLSRSACertificateFile /etc/pki/dovecot/certs/dovecot.pem
   TLSRSACertificateKeyFile /etc/pki/dovecot/private/dovecot.pem
   TLSVerifyClient off
   TLSOptions NoCertRequest
   TLSRenegotiate required off
</IfModule>

.. and change it to this:

<IfModule mod_tls.c>
   TLSEngine on
   TLSLog /var/log/proftpd/tls.log
   TLSRequired off
   TLSRSACertificateFile /etc/pki/dovecot/certs/dovecot.pem
   TLSRSACertificateKeyFile /etc/pki/dovecot/private/dovecot.pem
   TLSVerifyClient off
   TLSOptions NoCertRequest
   TLSRenegotiate required off
        TLSOptions UseImplicitSSL
        # The "standard" implicit FTPS port is 990
        Port 990
</IfModule>

5.) Start Proftpd in stand alone mode and enable it to auto-start on
server reboots:

service proftp start
/sbin/chkconfig --level 2345 proftpd on

6.) Make a backup copy of your /etc/proftpd.conf as it may get
overwritten during ProFTPd updates:

cp /etc/proftpd.conf /etc/proftpd.conf.tls-working

--------------

With that I get "explicit FTP" over TLS working with FileZilla when I
connect to port 990.

The catch here is that our current implementation through xinetd doesn't
allow us to use port 990. So ProFTPd has to be switched to stand alone
mode and usage of port 990 has to be specified in the TLS section.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list