Issue How do I enable FTPS?

[budiantoip]

Server operating system version

Ubuntu 18.04

Plesk version and microupdate number

18.0.66 #2

Hey!

When trying to connect FTP over TLS via FileZilla, I got this output:

02:51:25 Status:        Disconnected from server
02:51:25 Status:        Connecting to 1.2.3.4:21...
02:51:25 Status:        Connection established, waiting for welcome message...
02:51:26 Response:      220 ProFTPD Server (ProFTPD) [1.2.3.4]
02:51:26 Command:       AUTH TLS
02:51:26 Response:      504 Command not implemented for that parameter
02:51:26 Command:       AUTH SSL
02:51:26 Response:      504 Command not implemented for that parameter
02:51:26 Error:         Critical error: Could not connect to server

I've done the following steps:
1. Go to Tools & Settings > Security Policy, and under Secure FTP, I choose Allow only secure FTPS connections
2. Run these commands:

plesk sbin pci_compliance_resolver --enable dovecot
plesk sbin pci_compliance_resolver --enable postfix

When using FileZilla, I use the Require explicit FTP over TLS.

I've checked the ftp_tls.log file, however I could only get these:

# tail -n0 -f /var/log/plesk/ftp_tls.log
2025-01-18 19:48:21,045 mod_tls/2.9.2[19660]: added 1 certs from '/opt/psa/admin/conf/httpsd.pem' to SSL_CTX certificate chain
2025-01-18 19:49:10,540 mod_tls/2.9.2[20439]: added 1 certs from '/opt/psa/admin/conf/httpsd.pem' to SSL_CTX certificate chain
2025-01-18 19:51:26,204 mod_tls/2.9.2[22004]: added 1 certs from '/opt/psa/admin/conf/httpsd.pem' to SSL_CTX certificate chain

Note that, if I use non-secure FTP connection, I can get the FTP access. However, I want to use the FTPS connection.

Additional information:

# cat /etc/proftpd.d/55-passive-ports.conf
<Global>
PassivePorts 49152 65535
</Global>

# openssl version
OpenSSL 1.1.1  11 Sep 2018

# openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1
TLSv1.2
TLSv1.3

Did I miss anything here?

I've been trying to trace this for days, but I couldn't find any clue. So, any kind of pointer or suggestions would be much appreciated.

 

[scsa20]

Last time I've tried using FileZilla with FTPS I've had a bunch of issues but no issues what so ever with WinSCP. Maybe try WinSCP instead to make sure it isn't a client issue?

Also with WinSCP make sure you choose FTP as the connection time and choose Explicit SSL/TLS (not sure if FileZilla has that option, can't remember, been forever since I last used it).

 

[budiantoip]

Unfortunately, I can’t use WinSCP. Do you know of any other FTP clients for Mac?

 

[scsa20]

There's plenty out there but I haven't tested any of them. I know Cyberduck is a popular choice though for macs.

 

[learning_curve]

Unfortunately, I can’t use WinSCP. Do you know of any other FTP clients for Mac?

We have only use Macs since 2009 and have only ever used Filezilla for SFTP access (without any issues at all) for a long time now.
However... The difference from your setup, appears to be that as mentioned, we use SFTP - SSH File Transfer Protocol (within Filezilla) and FWIW we've never ever used the Plesk PCI Compliance Resolver (We use other methods instead). SSH access, we do control very tightly anyway & it's also configured, so that it's key only not password controlled access too (this works within Filezilla via a key conversion to a .ppk format file). If you're happy to use the SFTP - SSH File Transfer Protocol (within Filezilla) option, and you're fine with SSH & the control of same (including using keys etc if you wish to abort password protected access) then this could / should (we think) be a valid & secure alternative option for you...

 

[Kaspar]

Did I miss anything here?

Just to be sure, did you try to connect to a host (domain) that actually has a ssl/tls certificate assigned to it?

 

[budiantoip]

We have only use Macs since 2009 and have only ever used Filezilla for SFTP access (without any issues at all) for a long time now.
However... The difference from your setup, appears to be that as mentioned, we use SFTP - SSH File Transfer Protocol (within Filezilla) and FWIW we've never ever used the Plesk PCI Compliance Resolver (We use other methods instead). SSH access, we do control very tightly anyway & it's also configured, so that it's key only not password controlled access too (this works within Filezilla via a key conversion to a .ppk format file). If you're happy to use the SFTP - SSH File Transfer Protocol (within Filezilla) option, and you're fine with SSH & the control of same (including using keys etc if you wish to abort password protected access) then this could / should (we think) be a valid & secure alternative option for you...

Thank you for your suggestion. I like it. I'll definitely use that option as a last resort.

Honestly, I'm tasked with disabling the plaintext authentication, and then secure the FTP access with encryption via a TLS certificate. So, I'd like to proceed with FTPS for now.

Currently, I'm still curious with this FTPS. The way I see it, after connecting to my Plesk server, the client sends the AUTH TLS and AUTH SSL, but then the server rejects the commands. It's as if the server does not support those two commands.

The strangest thing is that I cannot find a detailed information on what's going on. The ftp_tls.log file only generates one log everytime I start an FTP session from my FTP client.

I have some questions, and they're:

1. Is there a way to probably enable a verbose mode on the logs?
2. Which log files can I monitor to get a more detailed information on what's going on?
3. How do I ensure the two AUTH commands can work and accepted correctly by the server?

 

[budiantoip]

Just to be sure, did you try to connect to a host (domain) that actually has a ssl/tls certificate assigned to it?

# cat /etc/proftpd.conf
...
<IfModule mod_tls.c>
        # common settings for all virtual hosts
        TLSEngine on
        TLSRequired on

        TLSLog /var/log/plesk/ftp_tls.log

        TLSRSACertificateFile /opt/psa/admin/conf/httpsd.pem
        TLSRSACertificateKeyFile /opt/psa/admin/conf/httpsd.pem
        TLSCertificateChainFile /opt/psa/admin/conf/httpsd.pem

        # Authenticate clients that want to use FTP over TLS?
        TLSVerifyClient off

        # Allow SSL/TLS renegotiations when the client requests them, but
        # do not force the renegotations.  Some clients do not support
        # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
        # clients will close the data connection, or there will be a timeout
        # on an idle data connection.
        TLSRenegotiate none

        # As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
        # that reuse the SSL session of the control connection, as a security measure.
        # Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
        TLSOptions NoSessionReuseRequired
</IfModule>
...

# cat /etc/proftpd.d/ssl.conf
<Global>
<IfModule mod_tls.c>
#TLSProtocol TLSv1 TLSv1.1 TLSv1.2
TLSProtocol TLSv1.2 TLSv1.3
TLSCipherSuite EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH
TLSServerCipherPreference on
</IfModule>
</Global>


# cat /etc/proftpd.d/50-plesk.conf
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

# Global section
<Global>
RequireValidShell off

<IfModule mod_tls.c>
    TLSEngine on
    TLSRequired on
</IfModule>
</Global>

Note that, /opt/psa/admin/conf/httpsd.pem contains a valid certificate. I've confirmed it by using this online tool to validate the certificate:
SSL Certificate Decoder

The certificate will expire at Apr 15, 2025.

Strangely, when I run this command, it won't give me any SSL certificate:

# openssl s_client -connect 1.2.3.4:21 -tls1_2
Connecting to 1.2.3.4
CONNECTED(00000003)
00E7CB58F87F0000:error:0A00010B:SSL routines:tls_validate_record_header:wrong version number:ssl/record/methods/tlsany_meth.c:81:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 194 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1737311808
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Not sure if this helps, but there's no proftpd service. Everytime I modify the proftpd configurations, I have to restart the xinetd service.

 

[budiantoip]

According to this documentation, if I run this command within the server, I'll get a certificate:

openssl s_client -connect 127.0.0.1:21 -starttls ftp