2

I am running pure-ftpd like this:

/usr/sbin/pure-ftpd -A -c10 -B -C3 -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z -Y1 -J'HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3'

but in syslog-ng monitoring I get an error:

pure-ftpd: (?@?) [ERROR] SSL/TLS: Invalid TLSCipherSuite specified 'HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3'

I tried several variations without any luck. The only one that worked without a problem it was this one (in the configuration file):

TLSCipherSuite          HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

then run:

/usr/sbin/pure-config.pl /etc/pure-ftpd/pure-ftpd.conf

Running: /usr/sbin/pure-ftpd -A -c10 -B -C3 -d -z -D -e -fftp -H -I15 -lpam -L2000:8 -m4 -p30000:30100 -s -u40 -x -r -i -k99 -G -Z -Y1 -JHIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

but with this one, only SSLv2 is disabled.

I found this command at: http://download.pureftpd.org/pub/pure-ftpd/doc/README and there is says:

'-J ': Sets the list of ciphers that will be accepted for SSL/TLS connections.

For example: -J HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

Prefixing the list with -S: totally disables SSLv3.

I think this -S might solve my problem but I can't figure out how to use it.

Improve this question
2
  • FYI in the latest pure-ftpd version (1.0.37) SSLv2 and SSLv3 are refused by default Commented Mar 3, 2015 at 8:53
  • Not for me @user105125 Commented Nov 12, 2015 at 20:30

2 Answers 2

Reset to default
2

To be able to disable SSLv* and use TLS instead, this is what I does with version 1.0.33 and 1.0.38 :

Put this in /usr/sbin/pure-ftpd-wrapper.patch (or replace -J global switch by -S):

--- pure-ftpd-wrapper   2012-10-29 10:45:31.000000000 +0000
+++ pure-ftpd-wrapper.modified  2015-11-12 15:23:31.104156082 +0000
@@ -87,6 +87,7 @@
            'Quota' => ['-n %d:%d', \&parse_number_2],
            'SyslogFacility' => ['-f %s', \&parse_word, 99],
            'TLS' => ['-Y %d', \&parse_number_1],
+           'TLSCipherSuite' => [ '--tlsciphersuite=-S%s', \&parse_string],
            'TrustedGID' => ['-a %d', \&parse_number_1],
            'TrustedIP' => ['-V %s', \&parse_ip],
            'Umask' => ['-U %s:%s', \&parse_umask],

then :

cd /usr/sbin
patch < pure-ftpd-wrapper.patch && rm -f pure-ftpd-wrapper.patch

and :

cat<<EOF>/etc/pure-ftpd/conf/TLSCipherSuite
:ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:!SEED-SHA:!DHE-RSA-SEED-SHA:+HIGH+MEDIUM
EOF

Or your own classic configuration.

then, run a ssl test with testssl : 

./testssl --starttls ftp YOUR-FTPS-DOMAIN:21

and you expect especially this :

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)

To understand why -S (disable ssl, not documented) instead of -J, you have to read this changelog. :

  • Add SSL_OP_NO_SSLv3 to SSL options if the list of ciphers is prefixed by -S: , needed by Brad.
Improve this answer
0

You should try the following format:

-S:HIGH:MEDIUM:+TLSv1
Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.