diff --git a/custom.conf b/custom.conf index e74b320..21e7618 100644 --- a/custom.conf +++ b/custom.conf @@ -15,11 +15,7 @@ MaxClientsPerHost 5 TLSEngine on TLSVerifyClient off TLSRenegotiate none - TLSProtocol TLSv1.2 - TLSRSACertificateFile /etc/proftpd/cert.pem - TLSRSACertificateKeyFile /etc/proftpd/privkey.pem - TLSCertificateChainFile /etc/proftpd/chain.pem - TLSCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" + TLSProtocol TLSv1.2 TLSv1.3 TLSOptions NoSessionReuseRequired AllowClientRenegotiations TLSRequired on diff --git a/run.sh b/run.sh index d715fc0..1e91caa 100644 --- a/run.sh +++ b/run.sh @@ -22,6 +22,30 @@ cat $TLS_CERT > /etc/proftpd/cert.pem cat $TLS_KEY > /etc/proftpd/privkey.pem cat $TLS_CHAIN > /etc/proftpd/chain.pem +############ CHECK CERT KEY ALGO + +ALGO=$(openssl x509 -in /etc/proftpd/cert.pem -text | sed -n 's/\ *Public Key Algorithm: //p') + +if [ "$ALGO" = "id-ecPublicKey" ] ; then +cat > /etc/proftpd/conf.d/certificate.conf < + TLSECCertificateFile /etc/proftpd/cert.pem + TLSECCertificateKeyFile /etc/proftpd/privkey.pem + TLSCertificateChainFile /etc/proftpd/chain.pem + +EOF +fi + +if [ "$ALGO" = "rsaEncryption" ] ; then +cat > /etc/proftpd/conf.d/certificate.conf < + TLSRSACertificateFile /etc/proftpd/cert.pem + TLSRSACertificateKeyFile /etc/proftpd/privkey.pem + TLSCertificateChainFile /etc/proftpd/chain.pem + +EOF +fi + ############ PASSIVE PORTS PASSIVEPORTS_START=${PASSIVEPORTS_START:-50000}