2

I'm trying to setup the following environment:

There is one single FTP Server (Debian 9, proftpd 1.3.6-4), reachable under 1.2.3.4. Two domains, which are pointing to that IP Address

  • example1.com -> 1.2.3.4
  • example2.com -> 1.2.3.4

Each of these domains has its own certificate.

How can I serve both certificates with proftpd?

According to this (ProFTPd: Multiple Domain VirtualHosts on one IP address) it should be possible.

So my config would look like:

<VirtualHost example1.com>
    TLSEngine                               on
    TLSLog                                  /var/log/proftpd/tls.log
    TLSProtocol                             SSLv23
    TLSOptions                              NoCertRequest EnableDiags NoSessionReuseRequired
    TLSVerifyClient                         off
    TLSRSACertificateFile                   /etc/apache2/ssl/cert-example1.com.pem
    TLSRSACertificateKeyFile                /etc/apache2/ssl/privkey-example1.com.pem
</VirtualHost>

<VirtualHost example2.com>
    TLSEngine                               on
    TLSLog                                  /var/log/proftpd/tls.log
    TLSProtocol                             SSLv23
    TLSOptions                              NoCertRequest EnableDiags NoSessionReuseRequired
    TLSVerifyClient                         off
    TLSRSACertificateFile                   /etc/apache2/ssl/cert-example2.com.pem
    TLSRSACertificateKeyFile                /etc/apache2/ssl/privkey-example2.com.pem
</VirtualHost>

Unfortunately, none of them work. It only works for one domain if I put the IP address instead of the dns name in it.

I turned on debugging to see what's happening. I always get a no matching vhost found for 1.2.3.4 message

Vince
  • 153
  • 1
  • 7
  • What is your ftp client? – Michael Hampton May 29 '19 at 05:43
  • I'm testing with FileZilla 3.39.0 – Vince May 29 '19 at 06:15
  • I'm having the same problem right now. The point is that the developer of proftpd said that the mod_tls module which is active be default supports SNI. That means to me that exactly your configuration must be working. See the entry from 2019-05-25 here: https://github.com/Castaglia/proftpd-mod_autohost/issues/5 – M46 Feb 28 '20 at 10:11

1 Answers1

2

For Windows: try WinSCP, it support that Feature since a while.

I don't know any other client that implemts that feature. I assume it's just that FTP(S) is quite out of scope nowadays as implementation of that feature should be mor or less a no-brainer in most applications.

Edit: include some explanation why this feature depends on client support, as requested by @RalfFriedl:

For the server to be able to deliver different SSL certificate to client depending on the hostname the client expects, it needs to know which hostname the client expects.
The TCP/IP connection itself which arrives at the server does not include this information (it only works with the numeric IP addresses and TCP port numbers).
So if for same address and port the server wants to send different certificates depending on what the client expects, the client needs to supply the information.

For the case of FTP(E)S namebased virtual hosts, the client sends a HOST command with the expected hostname as parameter before he initiates the SSL negotiation, to make the server able to know which hostname the client want to talk to before initiating the promotion of the connection to SSL during which the certifiacte is send to client.
(This mechanism could of course also be used without SSL just for the server to deliver different content or such based on the target hostname. I don't know whether ProFTPd does this and this is not the question here.)

EOhm
  • 795
  • 2
  • 7
  • How would a client support a server feature? – RalfFriedl Oct 06 '19 at 21:58
  • This specific feature You mean? Or is this a general question? OK, lets take this examle. – EOhm Oct 07 '19 at 22:18
  • For the server to be able to deliver different SSL certificate to client depending on the hostname the client expects, it needs to know which hostname the client expects. The TCP/IP connection itself which arrives at the server does not include this information (it only works with the numeric IP addresses and TCP port numbers). So if for same address and port the server wants to send different certificates depending on what the client expects, the client needs to supply the information. – EOhm Oct 07 '19 at 22:26
  • So for the case of FTP(E)S namebased virtual hosts, the client sends a HOST command with the expected hostname as parameter before he initiates the SSL negotiation, so the server knows which hostname the client want to talk to before initiating the promotion of the connection to SSL. (This mechanism could of course also be used without SSL just for the server to deliver different content or such based on the target hostname.) @RalfFriedl – EOhm Oct 07 '19 at 22:31
  • You should edit that into the answer. – RalfFriedl Oct 08 '19 at 05:07
  • Thank you for your explanation. So in order to get it work, I will setup some virtual IPs on the firewall for each domain name. Then I can use the IP address to use different certificates. – Vince Nov 29 '19 at 10:25
  • Yes that is an option if You can afford the necessary multiple public IPv4s, or if You need them only for private networking or IPv6 access is sufficent (in that cases multiple addresses are not an issue, usually). @Vince – EOhm Nov 29 '19 at 20:22
  • WinSCP also doesn't work here. So that wasn't the solution. – ygoe Feb 03 '21 at 21:19
  • What You mean @ygoe, no issue known with using WinSCP to verify that setup. – EOhm Feb 08 '21 at 03:25
  • What I mean? I've set up ProFTPd like that and connected with WinSCP and was presented the wrong certificate. Doesn't look like SNI does something here. – ygoe Feb 14 '21 at 11:37
  • Exactly @ygoe that was what we talked about, the name based virtual hosting specified for FTPES servers is not implemented utilizing SNI but within FTP and FTPES protocol (and such cannot work for certificates for the less used FTPIS). – EOhm Feb 21 '21 at 00:23
  • You can check the settings for FTP environment of the connection, You can find the Option "use HOST-Command" there for Your FTP connection with explicit encryption, default should be automatic so detected by analyzing server-advertised features on initial connection. – EOhm Feb 21 '21 at 00:31
  • That's all well and good, and it's set up like that. Yet it doesn't work. That's all I can observe. – ygoe Feb 21 '21 at 09:50
  • Then check the detbug logs of proftpd for that? – EOhm Mar 13 '21 at 16:51