From 4c5a91d7abaff7f36bbd178431f0ebcbe76aba42 Mon Sep 17 00:00:00 2001 From: Marcin Krol Date: Thu, 10 Jan 2019 09:31:06 +0000 Subject: [PATCH] - better TLS/SSL config, misc config cleanup --- proftpd-anonftp.conf | 3 --- proftpd-mod_pam.conf | 1 - proftpd-mod_tls.conf | 40 +++++++++++++++++++++++++--------------- 3 files changed, 25 insertions(+), 19 deletions(-) diff --git a/proftpd-anonftp.conf b/proftpd-anonftp.conf index 3f869b1..4018a5d 100644 --- a/proftpd-anonftp.conf +++ b/proftpd-anonftp.conf @@ -1,7 +1,4 @@ -# $Id$ - # A basic anonymous configuration -# uncoment this section below if you want gain annonymous ftp acces User ftp Group ftp diff --git a/proftpd-mod_pam.conf b/proftpd-mod_pam.conf index 53bd288..45d54a0 100644 --- a/proftpd-mod_pam.conf +++ b/proftpd-mod_pam.conf @@ -1,4 +1,3 @@ -# $Id$ LoadModule mod_auth_pam.c diff --git a/proftpd-mod_tls.conf b/proftpd-mod_tls.conf index f5103cf..c7b6626 100644 --- a/proftpd-mod_tls.conf +++ b/proftpd-mod_tls.conf @@ -1,22 +1,32 @@ -# $Id$ -LoadModule mod_tls.c +LoadModule mod_tls.c -# TLSEngine must be enabled for TLS options to have effect. -#TLSEngine on +# Enable TLS/SSL connections +TLSEngine on -# These are the TLS related options, default values -#TLSRSACertificateFile /etc/ftpd/ftpd-rsa.pem -#TLSRSACertificateKeyFile /etc/ftpd/ftpd-rsa-key.pem +# Specify TLS/SSL log +TLSLog /var/log/ftp.tls.log -#TLSDSACertificateFile /etc/ftpd/ftpd-dsa.pem -#TLSDSACertificateKeyFile /etc/ftpd/ftpd-dsa-key.pem +# Path to CA chain file +TLSCACertificateFile /etc/ftpd/chain.pem -#TLSCARevocationFile /etc/ftpd/ftpd-crl.pem -#TLSDHParamFile /etc/ftpd/ftpd-dhparam.pem +# Path to certificate file +TLSRSACertificateFile /etc/ftpd/cert.pem -#TLSCipherSuite ALL:!EXP +# Path to certificate key file +TLSRSACertificateKeyFile /etc/ftp/privkey.pem -# don't verify any peer certificates -#TLSVerifyClient off +# Define available TLS/SSL ciphers (allow only strong ones by default) +TLSCipherSuite HIGH:!kDHd:!aNULL:!aDSS:!eNULL:!DES:!RC4:!RC2:!MD5:!SHA1:!SHA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:!EXP:!EXPORT56:!LOW:!MEDIUM:!ADH:!DSS:!NULL -#TLSRequired off +# Allow TLSv1.2 only +TLSProtocol TLSv1.2 + +# Don't verify client certificates +TLSVerifyClient off + +# Require TLS/SSL for all connections and both control and data channels +TLSRequired on + +# Do not require reuse of the SSL session +# This is required by some apps (ie. curl) to work over SSL +TLSOptions NoSessionReuseRequired -- 2.44.0