X-Git-Url: https://git.tld-linux.org/?p=packages%2Fproftpd.git;a=blobdiff_plain;f=proftpd-mod_tls.conf;fp=proftpd-mod_tls.conf;h=c7b662674e538db6f388719301175bc44a0ecf0f;hp=f5103cff144e4091f6d3ff3a5627fb061d1e524a;hb=4c5a91d7abaff7f36bbd178431f0ebcbe76aba42;hpb=0fb5f17dc10db4c2f613d712448353cdd541acbf

diff --git a/proftpd-mod_tls.conf b/proftpd-mod_tls.conf
index f5103cf..c7b6626 100644
--- a/proftpd-mod_tls.conf
+++ b/proftpd-mod_tls.conf
@@ -1,22 +1,32 @@
-# $Id$
-LoadModule	mod_tls.c
+LoadModule mod_tls.c
 
-# TLSEngine must be enabled for TLS options to have effect.
-#TLSEngine on
+# Enable TLS/SSL connections
+TLSEngine on
 
-# These are the TLS related options, default values
-#TLSRSACertificateFile		/etc/ftpd/ftpd-rsa.pem
-#TLSRSACertificateKeyFile	/etc/ftpd/ftpd-rsa-key.pem
+# Specify TLS/SSL log
+TLSLog /var/log/ftp.tls.log
 
-#TLSDSACertificateFile		/etc/ftpd/ftpd-dsa.pem
-#TLSDSACertificateKeyFile	/etc/ftpd/ftpd-dsa-key.pem
+# Path to CA chain file
+TLSCACertificateFile /etc/ftpd/chain.pem
 
-#TLSCARevocationFile		/etc/ftpd/ftpd-crl.pem
-#TLSDHParamFile				/etc/ftpd/ftpd-dhparam.pem
+# Path to certificate file
+TLSRSACertificateFile /etc/ftpd/cert.pem
 
-#TLSCipherSuite				ALL:!EXP
+# Path to certificate key file
+TLSRSACertificateKeyFile /etc/ftp/privkey.pem
 
-# don't verify any peer certificates
-#TLSVerifyClient			off
+# Define available TLS/SSL ciphers (allow only strong ones by default)
+TLSCipherSuite HIGH:!kDHd:!aNULL:!aDSS:!eNULL:!DES:!RC4:!RC2:!MD5:!SHA1:!SHA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!EXP:!EXPORT56:!LOW:!MEDIUM:!ADH:!DSS:!NULL
 
-#TLSRequired off
+# Allow TLSv1.2 only
+TLSProtocol TLSv1.2
+
+# Don't verify client certificates
+TLSVerifyClient off
+
+# Require TLS/SSL for all connections and both control and data channels
+TLSRequired on
+
+# Do not require reuse of the SSL session
+# This is required by some apps (ie. curl) to work over SSL
+TLSOptions NoSessionReuseRequired