Log In
Register
SSL Brands
Sectigo SSL Certificates
RapidSSL Certificates
Thawte SSL Certificates
GeoTrust SSL Certificates
DigiCert SSL Certificates
SSL Certificates
Single Domain Certificates
SSL Tools
CSR Generator
CSR Decoder
SSL Certificate Decoder
SSL Certificate Checker
SSL / Key Matcher
ContactFTP SSL/TLS Configuration Guide: ProFTPD and Pure-FTPd
This guide covers configuring SSL/TLS encryption for existing ProFTPD and Pure-FTPd installations on both RPM-based and Debian-based systems.
Prerequisites
Before configuring SSL/TLS, ensure you have:
-
- ProFTPD or Pure-FTPd already installed and running
- SSL certificate files (certificate, private key, CA bundle)
- Root or sudo access to the server
ProFTPD SSL Configuration
Install Paid SSL Certificate
Copy your paid SSL certificate files to the appropriate locations:
# Copy certificate files
sudo cp your-cert.crt /etc/ssl/certs/proftpd.crt
sudo cp your-private.key /etc/ssl/private/proftpd.key
# Set proper permissions
sudo chmod 600 /etc/ssl/private/proftpd.key
sudo chmod 644 /etc/ssl/certs/proftpd.crt
# Copy CA bundle if provided
sudo cp your-ca-bundle.crt /etc/ssl/certs/proftpd-ca.crt
sudo chmod 644 /etc/ssl/certs/proftpd-ca.crt
Configure ProFTPD SSL Module
1. Enable TLS Module Edit /etc/proftpd/proftpd.conf and add:
LoadModule mod_tls.c
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1.2 TLSv1.3
TLSCipherSuite HIGH:MEDIUM:!aNULL:!MD5
TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
TLSCACertificateFile /etc/ssl/certs/proftpd-ca.crt
TLSVerifyClient off
TLSRequired on
</IfModule>
2. Restart ProFTPD
sudo systemctl restart proftpd
Firewall Configuration for Passive Mode
# RPM-based systems
sudo firewall-cmd --permanent --add-port=21/tcp
sudo firewall-cmd --permanent --add-port=30000-31000/tcp
sudo firewall-cmd --reload
# Debian-based systems
sudo ufw allow 21/tcp
sudo ufw allow 30000:31000/tcp
sudo ufw reload
Add passive port range to ProFTPD config:
PassivePorts 30000 31000
Pure-FTPd SSL Configuration
Install Paid SSL Certificate
Option 1: Combine certificate files into single PEM
# Combine certificate, intermediate, and private key
sudo cat your-cert.crt your-ca-bundle.crt your-private.key > /etc/ssl/private/pure-ftpd.pem
sudo chmod 600 /etc/ssl/private/pure-ftpd.pem
Option 2: Certificate only (if no intermediate required)
sudo cat your-cert.crt your-private.key > /etc/ssl/private/pure-ftpd.pem
sudo chmod 600 /etc/ssl/private/pure-ftpd.pem
Configure Pure-FTPd SSL
RPM-based systems: Edit /etc/pure-ftpd/pure-ftpd.conf:
TLS 2
CertFile /etc/ssl/private/pure-ftpd.pem
TLSCipherSuite HIGH:MEDIUM:!aNULL:!MD5
MinTLSVersion 1.2
Debian-based systems: Enable TLS and configure certificate:
echo '2' | sudo tee /etc/pure-ftpd/conf/TLS
echo '/etc/ssl/private/pure-ftpd.pem' | sudo tee /etc/pure-ftpd/conf/CertFile
Restart Pure-FTPd
sudo systemctl restart pure-ftpd
Testing SSL/TLS Connection
Test with FileZilla or similar FTP client:
-
- Host: your-server-ip
- Port: 21
- Encryption: Use explicit FTP over TLS if available
- Protocol: FTP
Command line test:
# Test TLS connection
openssl s_client -connect your-server:21 -starttls ftp
SSL Configuration Options
TLS Requirement Levels
ProFTPD TLSRequired options:
-
off: TLS not required (allows plain connections)on: TLS required for all connectionsctrl: TLS required for control connection onlydata: TLS required for data connection only
Pure-FTPd TLS modes:
-
0: Disable TLS1: Accept both SSL/TLS and clear connections2: Refuse connections without SSL/TLS3: Clear connections allowed only for localhost
Passive Mode Configuration
For ProFTPD, add to configuration:
PassivePorts 30000 31000
MasqueradeAddress your-public-ip
For Pure-FTPd:
# RPM-based
echo '30000 31000' >> /etc/pure-ftpd/pure-ftpd.conf
# Debian-based
echo '30000 31000' | sudo tee /etc/pure-ftpd/conf/PassivePortRange
Security Recommendations
-
- Use TLS 1.2 or higher – Disable older SSL/TLS versions
- Strong cipher suites – Use HIGH:MEDIUM:!aNULL:!MD5 or similar
- Valid certificates – Use trusted CA certificates for production
- Firewall rules – Open only necessary ports
- Regular updates – Keep FTP server software updated
- Monitor logs – Check
/var/log/proftpd/or/var/log/pure-ftpd/for issues
Your FTP server now supports encrypted SSL/TLS connections for secure file transfers.