There are only a handful of TLS related directives that can be included in the proftpd.conf file. It is important to remember, however, that changing the values of any of these directives will be likely to have an adverse effect on the functionality of ProFTPd on your server.

There are three TLS directives that have significant impact on the performance of your FTP server. In addition, there are several directives that tell TLS where to look for specific files required for TLS-based authentication.


This directive tells ProFTPD if it should accept non-TLS encrypted connections. Unless you are absolutely certain that every person who will be using FTP on your Virtual Private Server has a TLS-capable client using one of the allowed encryption ciphers, you should not change this.

The default value for TlsRequired is off. To force TLS-encrypted connections only, change the value to on.

TlsRequired     off


TLS uses certificates for verification similar to the way SSL uses them. Because of the potentially prohibitive nature of obtaining a signed certificate from a trusted authority, some people will use self-signed certificates. For Virtual Private Servers with SSL support, you can use your existing SSL certificate or the default * certificate.

The default setting on the Virtual Private Server allows you to use unsigned certificates when using FTP. To force only signed certificates, you can change the TlsCertsOk value to on.

TlsCertsOk      off


The TlsCipherList directive tells ProFTPD what type of encryption to use. Depending on your FTP client, various ciphers may or may not be supported. The following is the directive with the default value.

TlsCipherList    ALL:!EXP

Below is a segment from the README for setting the value for the TlsCipherList directive.

How to put together a  'cipher list string':
  Key Exchange Algorithms:
    "kRSA"      RSA key exchange
    "kDHr"      Diffie-Hellman key exchange (key from RSA cert)
    "kDHd"      Diffie-Hellman key exchange (key from DSA cert)
    "kEDH'      Ephemeral Diffie-Hellman key exchange (temporary key)

  Authentication Algorithm:
    "aNULL"     No authentication
    "aRSA"      RSA authentication
    "aDSS"      DSS authentication
    "aDH"       Diffie-Hellman authentication

  Cipher Encoding Algorithm:
    "eNULL"     No encodiing
    "DES"       DES encoding
    "3DES"      Triple DES encoding
    "RC4"       RC4 encoding
    "RC2"       RC2 encoding
    "IDEA"      IDEA encoding

  MAC Digest Algorithm:
    "MD5"       MD5 hash function
    "SHA1"      SHA1 hash function
    "SHA"       SHA hash function (should not be used)

    "ALL"       all ciphers
    "SSLv2"     all SSL version 2.0 ciphers (should not be used)
    "SSLv3"     all SSL version 3.0 ciphers
    "EXP"       all export ciphers (40-bit)
    "EXPORT56"  all export ciphers (56-bit)
    "LOW"       all low strength ciphers (no export)
    "MEDIUM"    all ciphers with 128-bit encryption
    "HIGH"      all ciphers using greater than 128-bit encryption
    "RSA"       all ciphers using RSA key exchange
    "DH"        all ciphers using Diffie-Hellman key exchange
    "EDH"       all ciphers using Ephemeral Diffie-Hellman key exchange
    "ADH"       all ciphers using Anonymous Diffie-Hellman key exchange
    "DSS"       all ciphers using DSS authentication
    "NULL"      all ciphers using no encryption

Each item in the list may include a prefix modifier:

    "+"         move cipher(s) to the current location in the list
    "-"         remove cipher(s) from the list (may be added again by
                a subsequent list entry)
    "!"         kill cipher from the list (it may not be added again
                by a subsequent list entry)

If no modifier is specified the entry is added to the list at the current 
position.  "+" may also be used to combine tags to specify entries such as 
"RSA+RC4" describes all ciphers that use both RSA and RC4.

For example, all available ciphers not including ADH key exchange:


All algorithms including ADH and export but excluding patented algorithms: 


The OpenSSL command 

  openssl ciphers -v list of ciphers 

may be used to list all of the ciphers and the order described by a specific
list of ciphers.

Other TLS Directives

There are some other directives that tell ProFTPD what files to check for secure certificates. You are not likely to need to change any of these values. The following shows the certificate file related directives with their default values.

TlsRsaCertFile    ftpd-rsa.pem
TlsRsaKeyFile     ftpd-rsa-key.pem
TlsDsaCertFile    ftpd-dsa.pem
TlsDsaKeyFile     ftpd-dsa-key.pem
TlsCrlFile        ftpd-crl.pem
TlsDhParamFile    ftpd-dhparam.pem

Please note: the information on this page applies to ITS web hosting plans. It may or may not apply to other environments. If you are looking for a feature described here, or better support from your hosting provider, please consider hosting your site with ITS!

1555 N Naperville/Wheaton Road, Suite 107
Naperville, IL 60563
phone 630.420.2550
fax 630.420.2771