LoadModule mod_tls.c

# Enable TLS/SSL connections
TLSEngine on

# Specify TLS/SSL log
TLSLog /var/log/proftpd/tls.log

# Path to CA chain file
#TLSCACertificateFile /etc/proftpd/CA.crt

# Path to certificate file
TLSRSACertificateFile /etc/proftpd/server.crt

# Path to certificate key file
TLSRSACertificateKeyFile /etc/proftpd/server.key

# Define available TLS/SSL ciphers (allow only strong ones by default)
TLSCipherSuite HIGH:!kDHd:!aNULL:!aDSS:!eNULL:!DES:!RC4:!RC2:!MD5:!SHA1:!SHA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!EXP:!EXPORT56:!LOW:!MEDIUM:!ADH:!DSS:!NULL

# Allow TLSv1.2 and TLSv1.3
TLSProtocol TLSv1.2 TLSv1.3

# Don't verify client certificates
TLSVerifyClient off

# Require TLS/SSL for all connections and both control and data channels
TLSRequired on

# Do not require reuse of the SSL session
# This is required by some apps (ie. curl) to work over SSL
TLSOptions NoSessionReuseRequired