LoadModule mod_tls.c

# Enable TLS/SSL connections
TLSEngine on

# Specify TLS/SSL log
TLSLog /var/log/proftpd/tls.log

# Path to CA chain file
TLSCACertificateFile /etc/ftpd/chain.pem

# Path to certificate file
TLSRSACertificateFile /etc/ftpd/cert.pem

# Path to certificate key file
TLSRSACertificateKeyFile /etc/ftp/privkey.pem

# Define available TLS/SSL ciphers (allow only strong ones by default)
TLSCipherSuite HIGH:!kDHd:!aNULL:!aDSS:!eNULL:!DES:!RC4:!RC2:!MD5:!SHA1:!SHA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!EXP:!EXPORT56:!LOW:!MEDIUM:!ADH:!DSS:!NULL

# Allow TLSv1.2 only
TLSProtocol TLSv1.2

# Don't verify client certificates
TLSVerifyClient off

# Require TLS/SSL for all connections and both control and data channels
TLSRequired on

# Do not require reuse of the SSL session
# This is required by some apps (ie. curl) to work over SSL
TLSOptions NoSessionReuseRequired