-# $Id$
-LoadModule mod_tls.c
+LoadModule mod_tls.c
-# TLSEngine must be enabled for TLS options to have effect.
-#TLSEngine on
+# Enable TLS/SSL connections
+TLSEngine on
-# These are the TLS related options, default values
-#TLSRSACertificateFile /etc/ftpd/ftpd-rsa.pem
-#TLSRSACertificateKeyFile /etc/ftpd/ftpd-rsa-key.pem
+# Specify TLS/SSL log
+TLSLog /var/log/ftp.tls.log
-#TLSDSACertificateFile /etc/ftpd/ftpd-dsa.pem
-#TLSDSACertificateKeyFile /etc/ftpd/ftpd-dsa-key.pem
+# Path to CA chain file
+TLSCACertificateFile /etc/ftpd/chain.pem
-#TLSCARevocationFile /etc/ftpd/ftpd-crl.pem
-#TLSDHParamFile /etc/ftpd/ftpd-dhparam.pem
+# Path to certificate file
+TLSRSACertificateFile /etc/ftpd/cert.pem
-#TLSCipherSuite ALL:!EXP
+# Path to certificate key file
+TLSRSACertificateKeyFile /etc/ftp/privkey.pem
-# don't verify any peer certificates
-#TLSVerifyClient off
+# Define available TLS/SSL ciphers (allow only strong ones by default)
+TLSCipherSuite HIGH:!kDHd:!aNULL:!aDSS:!eNULL:!DES:!RC4:!RC2:!MD5:!SHA1:!SHA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!EXP:!EXPORT56:!LOW:!MEDIUM:!ADH:!DSS:!NULL
-#TLSRequired off
+# Allow TLSv1.2 only
+TLSProtocol TLSv1.2
+
+# Don't verify client certificates
+TLSVerifyClient off
+
+# Require TLS/SSL for all connections and both control and data channels
+TLSRequired on
+
+# Do not require reuse of the SSL session
+# This is required by some apps (ie. curl) to work over SSL
+TLSOptions NoSessionReuseRequired
TLD / packages / proftpd.git / commitdiff