Proftpd TLSRequired resulting in "550 SSL/TLS required on the data channel" error

Question

When setting TLSRequired to on instead of off in my proftp tls.conf, I always get a

550 SSL/TLS required on the data channel

error when trying to connect. I tried it out with both filezilla and winscp and proftpd versions 1.3.3a and 1.3.4a

This is my tls.conf:

<IfModule mod_tls.c>
TLSEngine                               on
TLSProtocol                             SSLv23 TLSv1
TLSRSACertificateFile                   /etc/ssl/private/cert.crt
TLSRSACertificateKeyFile                /etc/ssl/private/cert.key
TLSVerifyClient                         off
TLSRequired                             on
</IfModule>

The error occurs after executing the FTP-LISTcommand. This is a short excerpt from the debug log in filezilla:

Command:    PASV
Trace:  CFtpControlSocket::OnReceive()
Response:   227 Entering Passive Mode (78,46,187,75,208,71).
Trace:  CFtpControlSocket::TransferParseResponse()
Trace:  CFtpControlSocket::SendNextCommand()
Trace:  CFtpControlSocket::TransferSend()
Command:    LIST
Trace:  CFtpControlSocket::OnReceive()
Response:   550 SSL/TLS required on the data channel
Trace:  CFtpControlSocket::TransferParseResponse()
Trace:  CFtpControlSocket::ResetOperation(2)
Trace:  CControlSocket::ResetOperation(2)
Trace:  CFtpControlSocket::ParseSubcommandResult(2)
Trace:  CFtpControlSocket::ListSubcommandResult()
Trace:  CFtpControlSocket::ResetOperation(2)
Trace:  CControlSocket::ResetOperation(2)
Error:  Directory listing could not be retrieved

Answer 1

I recently had a similar problem but not with filezilla. When I use "Filezilla" as my ftp client all was good. But for some reason phpstorm's internal ftp client had the above issue, it could connect but cannot list the directory.

In proftpd.conf I used the following config and now phpstorm's ftp client can connect to the ftp server. However, data channel is not required to be encrypted with the below option:

TLSRequired                    ctrl

Another possible solution could be flipping the ftp connection to "passive" since this is a directory listing issue.

Answer 2

For those finding this issue now, with ProFTPD and FTPS clients like FileZilla and WinSCP, the same discussion was reported in the ProFTPD forums here.

The root cause was that elsewhere in @Zulakis' proftpd.conf, there was a <Limit> section covering the FTP PROT command. The PROT command is part of FTPS, and is used by FTPS clients to inform the server to protect the data transfer being requested. If the <Limit> section in the proftpd.conf told ProFTPD to reject that PROT command, but the TLS policy configured via TLSRequired said that SSL/TLS protection was required for the data transfer, it would result in the above error reported to the client.

To address this issue, ProFTPD Bug#3887 was filed and fixed, as of ProFTPD 1.3.4c (and ProFTPD 1.3.5).

Hope this helps!