FTPS server on PVE configured, but only allowing unencrypted connections

[whiney1]

I'm trying to setup FTPS / ProFTPD on my fresh Proxmox VE 8.2.7 home server. I'm setting it up as a service on the base install (pve node I guess?) as I read elsewhere this is better than spinning up a VM just for this.
I had ProFTPD running well on a previous straight Debian install but am having trouble recreating that success.


Tried a few different approaches that were all essentially the same but followed this guide in the most recent attempt. As per that guide I added the 'mod_tls.c' section instead of uncommenting the 'include ../tls.conf" line. Created the certs etc, restarted the service, tried full reboots. I am using WinSCP to test connection settings, but get the same results on other devices too.

I did previously try restoring my conf file to original state by uninstall/reinstall, then using the INCLUDE tls.conf line, and edit tls.conf, but got the same results. I've also tried regenerating the SSL certs several times, and confirmed that they have been generated as expected.

The relevant /etc/proftpd/proftpd.conf section looks like this atm:

<IfModule mod_tls.c>
 TLSEngine on
 TLSLog /var/log/proftpd/tls.log
 TLSProtocol SSLv23 TLSv1.2
 TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
 TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
 TLSVerifyClient off
 TLSRequired on
</IfModule>

Where I'm at now:

• can access FTP via user login on regular unencrypted login
• can't access FTPS via 'TLS/SSL Explicit Encryption', I get "Connection failed. AUTH not understood"

So it seems like the server is not requiring TLS and is in fact not allowing the defined TLS connection.
This is the proftpd status output:

● proftpd.service - ProFTPD FTP Server
     Loaded: loaded (/lib/systemd/system/proftpd.service; enabled; preset: enabled)
     Active: active (running) since Sun 2024-11-17 00:21:27 ACDT; 20min ago
       Docs: man:proftpd(8)
    Process: 4947 ExecStartPre=/usr/sbin/proftpd --configtest -c $CONFIG_FILE $OPTIONS (code=exited, status=0/SUCCE>
    Process: 4950 ExecStart=/usr/sbin/proftpd -c $CONFIG_FILE $OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 4951 (proftpd)
      Tasks: 1 (limit: 4398)
     Memory: 3.3M
        CPU: 395ms
     CGroup: /system.slice/proftpd.service
             └─4951 "proftpd: (accepting connections)"
Nov 17 00:21:27 pve systemd[1]: Starting proftpd.service - ProFTPD FTP Server...
Nov 17 00:21:27 pve proftpd[4947]: Checking syntax of configuration file
Nov 17 00:21:27 pve systemd[1]: Started proftpd.service - ProFTPD FTP Server.
Nov 17 00:21:33 pve proftpd[4956]: pam_unix(proftpd:session): session opened for user reolink(uid=1000) by (uid=0)
Nov 17 00:21:36 pve proftpd[4956]: pam_unix(proftpd:session): session closed for user reolink
Nov 17 00:22:00 pve proftpd[5038]: pam_unix(proftpd:session): session opened for user reolink(uid=1000) by (uid=0)
Nov 17 00:23:38 pve proftpd[5038]: pam_unix(proftpd:session): session closed for user reolink

Any suggestions on where to look next? TIA

 

[LnxBil]

I read elsewhere this is better than spinning up a VM just for this.

That could be true for anything. Hopefully there was also a section about not to install stuff on your hypervisor. If you mess with the hypervisor itself, you can have unforeseeable consequences, so please just stick to a container or a VM for anything that has nothing to do with the hypervisor.

Any suggestions on where to look next?

Increase debugging and look in the proftpd logfiles. Maybe ask in a ProFTPd forum, this is not a PVE-related question?

What is your goal, which you want to solve with IT stone age technology? Is SMB/CIFS or even sftp not better suited for this?