Last updated: 2026-02-11

ProFTPD TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for ProFTPD to serve files over encrypted FTPS connections. ProFTPD uses mod_tls for TLS support, securing both the control channel (commands and authentication) and the data channel (file transfers).

Prerequisites

• ProFTPD 1.3.6 or later (for TLS 1.3 support)
• OpenSSL 1.1.1 or later
• mod_tls compiled in or loaded as a module
• A valid SSL/TLS certificate

Enable mod_tls

Ensure mod_tls is loaded. In your ProFTPD modules configuration:

LoadModule mod_tls.c

On Debian/Ubuntu, this is typically in /etc/proftpd/modules.conf. On RHEL/CentOS, check /etc/proftpd.conf or /etc/proftpd/conf.d/.

TLS Configuration

Add the following to your ProFTPD configuration file (/etc/proftpd/proftpd.conf or a file in /etc/proftpd/conf.d/).

Enable TLS

<IfModule mod_tls.c>
    TLSEngine on
    TLSLog /var/log/proftpd/tls.log
</IfModule>

Certificate Files

TLSRSACertificateFile /etc/proftpd/ssl/cert.pem
TLSRSACertificateKeyFile /etc/proftpd/ssl/privkey.pem
TLSCACertificateFile /etc/proftpd/ssl/chain.pem

For ECDSA certificates:

TLSECCertificateFile /etc/proftpd/ssl/cert-ec.pem
TLSECCertificateKeyFile /etc/proftpd/ssl/privkey-ec.pem

Protocol Versions

Restrict to TLS 1.2 and TLS 1.3:

TLSProtocol TLSv1.2 TLSv1.3

Cipher Suites

Configure strong AEAD cipher suites:

TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

Require TLS

Force all connections to use TLS. Without this, clients can connect in plaintext:

TLSRequired on

Available values:

• on -- Require TLS for both control and data connections (recommended)
• ctrl -- Require TLS for the control channel only (authentication is encrypted, file transfers are not)
• data -- Require TLS for the data channel only
• off -- TLS is optional

Session Settings

TLSOptions NoSessionReuseRequired EnableDiags
TLSTimeoutHandshake 30

NoSessionReuseRequired allows data connections that don't reuse the control channel's TLS session. Some FTP clients don't support session reuse, and this prevents connection failures. If all your clients support session reuse, you can omit this for stricter security.

Client Certificate Verification

To require clients to present a certificate (mutual TLS):

TLSVerifyClient on

For most deployments, client certificate verification is not needed:

TLSVerifyClient off

Implicit vs Explicit FTPS

ProFTPD supports two FTPS modes:

• Explicit FTPS (port 21) -- The client connects in plaintext and upgrades to TLS using the AUTH TLS command. This is the default and most compatible mode.
• Implicit FTPS (port 990) -- The connection is TLS-encrypted from the start. Legacy mode, less common.

For implicit FTPS, add a separate virtual host:

<VirtualHost 0.0.0.0>
    Port 990
    TLSEngine on
    TLSProtocol TLSv1.2 TLSv1.3
    TLSRequired on
    TLSOptions UseImplicitSSL
    # ... same certificate and cipher settings
</VirtualHost>

Passive Mode Ports

When using FTPS, you need to open a range of ports for passive data connections. Configure the range and ensure your firewall allows it:

PassivePorts 49152 65534

Complete Configuration

<IfModule mod_tls.c>
    # Enable TLS
    TLSEngine on
    TLSLog /var/log/proftpd/tls.log

    # Certificate files
    TLSRSACertificateFile /etc/proftpd/ssl/cert.pem
    TLSRSACertificateKeyFile /etc/proftpd/ssl/privkey.pem
    TLSCACertificateFile /etc/proftpd/ssl/chain.pem

    # Protocol versions
    TLSProtocol TLSv1.2 TLSv1.3

    # Cipher suites
    TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

    # Require TLS for all connections
    TLSRequired on

    # Session options
    TLSOptions NoSessionReuseRequired EnableDiags
    TLSTimeoutHandshake 30

    # Client certificates
    TLSVerifyClient off
</IfModule>

# Passive ports
PassivePorts 49152 65534

Verification

Check the ProFTPD configuration and restart:

proftpd -t
systemctl restart proftpd

Test with OpenSSL:

openssl s_client -connect ftp.example.com:21 -starttls ftp

For implicit FTPS:

openssl s_client -connect ftp.example.com:990

Test with an FTP client like lftp:

lftp -u username -e "set ftp:ssl-force true; set ssl:verify-certificate yes; ls; quit" ftp.example.com

Check the TLS log for connection details:

tail -f /var/log/proftpd/tls.log