• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • (Plesk for Windows):
    MySQL Connector/ODBC 3.51, 5.1, and 5.3 are no longer shipped with Plesk because they have reached end of life. MariaDB Connector/ODBC 64-bit 3.2.4 is now used instead.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue FTP - Insecure server, it does not support FTP over TLS.

A

Alban Staehli

Regular Pleskian
Server operating system version
AlmaLinux 8.10 (Cerulean Leopard)
Plesk version and microupdate number
Plesk Obsidian 18.0.66 Update #2
Hi,

Somehow after a Plesk upgrade, I'm unable to connect via FTP over TLS - through both Filezilla and WinSCP. It works over non-secure FTP.
Filezilla complaints with message "Insecure server, it does not support FTP over TLS".
WinSCP advises that the parameter is not supported.

FileZilla connection details when using "Require explicit FTP over TLS":
Code: 
Status:    Connection established, waiting for welcome message...
Response:    220 ProFTPD Server (ProFTPD) [xxx.xxx.xxx.xxx]
Command:    AUTH TLS
Response:    504 Command not implemented for that parameter
Command:    AUTH SSL
Response:    504 Command not implemented for that parameter
Error:    Critical error: Could not connect to server

psa-proftpd is definitely installed and up to date:
Code: 
rpm -qi psa-proftpd

Name        : psa-proftpd
Version     : 1.3.8b
Release     : 2.redhat.8+p18.0.66.2+t250106.1901
Architecture: x86_64
Install Date: Wed 15 Jan 2025 04:03:28 AM CET

/etc/proftpd.d/50-plesk.conf content:
Code: 
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

# Global section
<Global>
RequireValidShell off

<IfModule mod_tls.c>
    TLSEngine on
    TLSRequired off
</IfModule>
</Global>

/etc/proftpd.d/55-passive-ports.conf content:
Code: 
<Global>
PassivePorts 49152 65535
</Global>
(yes all ports open and functioning via firewall)

/etc/proftpd.d/ssl.conf content:
Code: 
<Global>
<IfModule mod_tls.c>
TLSDHParamFile /usr/local/psa/etc/dhparams2048.pem
</IfModule>
</Global>
<Global>
<IfModule mod_tls.c>
TLSProtocol TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
TLSServerCipherPreference on
</IfModule>
</Global>

I tried this too, no luck: https://support.plesk.com/hc/en-us/...ecure-server-it-does-not-support-FTP-over-TLS

Any idea where shall I look?

Thanks.
 
Also adding tls content of the /etc/proftpd.conf file:

Code: 
<IfModule mod_tls.c>
        # common settings for all virtual hosts
        TLSEngine on
        TLSRequired off

        TLSLog /var/log/plesk/ftp_tls.log

        TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
        TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem
        TLSCertificateChainFile /usr/local/psa/admin/conf/httpsd.pem

        # Authenticate clients that want to use FTP over TLS?
        TLSVerifyClient off

        # Allow SSL/TLS renegotiations when the client requests them, but
        # do not force the renegotations.  Some clients do not support
        # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
        # clients will close the data connection, or there will be a timeout
        # on an idle data connection.
        TLSRenegotiate none

        # As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
        # that reuse the SSL session of the control connection, as a security measure.
        # Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
        TLSOptions NoSessionReuseRequired
</IfModule>
 
I even attempted to configure implicit encryption, no luck - timeout on port 990:
docs.plesk.com

FTP

To provide an FTP service, Plesk uses the ProFTPD FTP server. Plesk includes the following two packages: psa-proftp...
docs.plesk.com docs.plesk.com

While service is actually listening:


Code: 
lsof -i TCP:990

COMMAND   PID USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
xinetd  31679 root    6u  IPv4 582848089      0t0  TCP *:ftps (LISTEN)
 
Alban Staehli said:
I even attempted to configure implicit encryption, no luck - timeout on port 990:
docs.plesk.com

FTP

To provide an FTP service, Plesk uses the ProFTPD FTP server. Plesk includes the following two packages: psa-proftp...
docs.plesk.com docs.plesk.com

While service is actually listening:


Code: 
lsof -i TCP:990

COMMAND   PID USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
xinetd  31679 root    6u  IPv4 582848089      0t0  TCP *:ftps (LISTEN)
Click to expand...
got this to work - only FTP on 21 with TLS does not work.
 
You must log in or register to reply here.

Similar threads

Polli
Issue Getting DANE working
2
Replies
33
Views
2K
Polli
Polli
B
Resolved How do I enable FTPS?
Replies
10
Views
835
Kaspar
K
D
Question Connection error from UnityWebRequest to my plesk server on older devices
Replies
1
Views
1K
Nik G
N
O
Question Nginx compile by Plesk and chipers
Replies
6
Views
2K
IgorG
IgorG
M
Question changed nginx ssl.conf
Replies
2
Views
1K
moswak
M
Back
Top