53 lines
2.1 KiB
Plaintext
53 lines
2.1 KiB
Plaintext
{
|
|
use esmith::ssl;
|
|
#check if TLS is enabled
|
|
if (($ftp{TLSEnable} || 'on') eq 'on') {
|
|
|
|
#check if TLS is required: values "on", "off"
|
|
#if "on" normal ftp connections are dropped
|
|
my $tlsrequired = $ftp{'TLSRequired'} || "on";
|
|
my $tlsclient = $ftp{'TLSVerifyClient'} || "off";
|
|
#use the same crt and key of httpd
|
|
my $defaultcrt = "/home/e-smith/ssl.crt/${SystemName}.${DomainName}.crt";
|
|
my $defaultkey = "/home/e-smith/ssl.key/${SystemName}.${DomainName}.key";
|
|
|
|
my $crt = $modSSL{'crt'} || $defaultcrt;
|
|
$crt = $defaultcrt unless -e $crt;
|
|
my $key = $modSSL{'key'} || $defaultkey;
|
|
$key = $defaultkey unless -e $key;
|
|
|
|
my $chain_file = $modSSL{CertificateChainFile} ||
|
|
"# no chain cert";
|
|
$chain_file = "# no chain cert" unless -e $chain_file;
|
|
$chain_file = ( $chain_file eq "# no chain cert" )? $chain_file : "TLSCertificateChainFile $chain_file";
|
|
|
|
#/home/e-smith/dh.pem/4096.pem
|
|
my $ftpdhparam = "#no dh param";
|
|
$ftpdhparam = "SFTPDHParamFile /home/e-smith/dh.pem/2048.pem" if (dh_exists_good_size("2048","/home/e-smith/dh.pem/2048.pem"));
|
|
$ftpdhparam = "SFTPDHParamFile /home/e-smith/dh.pem/4096.pem" if (dh_exists_good_size("4096","/home/e-smith/dh.pem/4096.pem"));
|
|
|
|
my $ciphers = $ftp{CipherSuite} || $modSSL{CipherSuite} || $smeCiphers;
|
|
#SME11 proftpd 1.3.6 branch does not support TLS v1.3
|
|
$smeSSLprotocol =~ s/TLSv1.3//;
|
|
# NoSessionReuseRequired is required with newer clients and TLS to be bale to list folder
|
|
$OUT .= <<SSL_END;
|
|
|
|
<IfModule mod_tls.c>
|
|
TLSEngine on
|
|
TLSLog /var/log/proftpd/tls.log
|
|
TLSProtocol $smeSSLprotocol
|
|
TLSCipherSuite $ciphers
|
|
TLSOptions NoCertRequest AllowClientRenegotiations NoSessionReuseRequired
|
|
TLSRSACertificateFile $crt
|
|
TLSRSACertificateKeyFile $key
|
|
$chain_file
|
|
$ftpdhparam
|
|
TLSVerifyClient $tlsclient
|
|
TLSRequired $tlsrequired
|
|
</IfModule>
|
|
SSL_END
|
|
|
|
}
|
|
}
|
|
|