Add TLS SNI support

[FGasper]

This provides an easy way for server administrators to implement TLS SNI support in Pure-FTPd.

[jedisct1]

This doesn't compile and ever after some fixes, it didn't seem to work (tried on OpenBSD and MacOS as a server, lftp as client).

[FGasper]

@jedisct1 Yeah, I didn’t intend this branch as-is for a merge per se; I was more asking for feedback on the approach.

My own testing was limited to openssl s_client; if you’re ok with this approach in principle, I’ll spend some more time with it.

Curious that it didn’t compile; I used MacOS as server myself.

[FGasper]

So, just to be clear: if I get this branch working, compiling, testing, etc., will you accept it?

[jedisct1]

You need to test with other features compiled in (--with-everything) :)

Anyway, SNI support is implemented and documented already.

[FGasper]

Ah, ok, now I see your recently-landed implementation. (Thank you!)

What is the benefit of having a separate daemon to invoke the command versus calling it from tls.c?

[jedisct1]

Better isolation, especially in a pre-authentication context.

The certd script and the FTP servers can run with different capabilities (which is already the case).

No need to fork a process every time, pure-certd can be replaced with anything that listens to the local UNIX socket.

And it's similar to the existing mechanism for external authentication, which is what you initially suggested.

[FGasper]

Thanks!

[unique1984]

Full installation documentation (Turkish)

Pure-Ftpd-Mysql with SNI Installation

---

pure-ftpd with SNI support (working & tested implementation) using Let's Encrypt (certbot)

Geather files (Debian)

apt source pure-ftpd-mysql
cd pure-ftpd-1.0.49

Step 1 Configure
nano debian/rules # append sbin binary pure-certd

./configure --with-mysql --with-tls --with-everything

Step 2 build package
dpkg-buildpackage -uc -us

Step 3 Install package that includes pure-certd
apt install -f ../pure-ftpd-mysql_1.0.49-4.1_amd64.deb

Step 4 Create TLS SNI parser shell script
nano /bin/pure-cert-check.sh

#! /usr/bin/sh

#echo "$(env)" > /root/sni_log
echo 'action:strict'
echo 'cert_file:/etc/letsencrypt/live/'${CERTD_SNI_NAME}'/fullchain.pem'
echo 'key_file:/etc/letsencrypt/live/'${CERTD_SNI_NAME}'/privkey.pem'
echo 'end'

Step 5 Start pure-certd daemon
pure-certd --run /bin/pure-cert-check.sh --socket /var/run/ftpd-certs.sock --pidfile /var/run/pure-certd.pid -B

Step 6 Append a line in to /usr/sbin/pure-ftpd-wrapper

                        'NoTruncate' => ['-0'],
+++                        'ExtCert' => [ '-3 %s', \&parse_string],
                        'PassivePortRange' => ['-p %d:%d', \&parse_number_2],

Step 7 ExtCert create (pure-ftpd.conf won't work...)

echo "/var/run/ftpd-certs.sock" > /etc/pure-ftpd/conf/ExtCert

Step 8

systemctl restart pure-ftpd-mysql.service

You should see something like;

Aug 19 23:42:20 testing systemd[1]: Stopping pure-ftpd-mysql.service...
Aug 19 23:42:20 testing pure-ftpd-mysql[207068]: Stopping ftp server: pure-ftpd.
Aug 19 23:42:20 testing systemd[1]: pure-ftpd-mysql.service: Succeeded.
Aug 19 23:42:20 testing systemd[1]: Stopped pure-ftpd-mysql.service.
Aug 19 23:42:20 testing systemd[1]: Starting pure-ftpd-mysql.service...
Aug 19 23:42:20 testing pure-ftpd-mysql[207077]: Starting ftp server:
Aug 19 23:42:20 testing pure-ftpd-mysql[207084]: Running: /usr/sbin/pure-ftpd-mysql -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -u 1000 -p 35000:50000 -E -A -Y 1 -O clf:/var/log/pure-ftpd/transfer.log **-3 /var/run/ftpd-certs.sock** -P 165.227.130.119 -J HIGH -j -B
Aug 19 23:42:20 testing systemd[1]: Started pure-ftpd-mysql.service.

in the syslog.

Step 8 Use it!

Cert 1

Cert 2

Have nice day...

P.S when you search all over the web (pure-ftpd sni support) this is the 1st page index of the google that is why i put this in here. I couldn't find any other step by step document then i experimented a way, succeeded to do this and i'm sharing it.