From 1769ab4503a08b637b1d20b16a5d28e9d651b5d9 Mon Sep 17 00:00:00 2001
From: Paolo Asperti <paolo@asperti.com>
Date: Wed, 3 Nov 2021 09:25:54 +0100
Subject: [PATCH] support for EC certs

---
 custom.conf |  6 +-----
 run.sh      | 24 ++++++++++++++++++++++++
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/custom.conf b/custom.conf
index e74b320..21e7618 100644
--- a/custom.conf
+++ b/custom.conf
@@ -15,11 +15,7 @@ MaxClientsPerHost 5
   TLSEngine                               on
   TLSVerifyClient                         off
   TLSRenegotiate                          none
-  TLSProtocol                             TLSv1.2
-  TLSRSACertificateFile                   /etc/proftpd/cert.pem
-  TLSRSACertificateKeyFile                /etc/proftpd/privkey.pem
-  TLSCertificateChainFile                 /etc/proftpd/chain.pem
-  TLSCipherSuite                          "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" 
+  TLSProtocol                             TLSv1.2 TLSv1.3
   TLSOptions                              NoSessionReuseRequired AllowClientRenegotiations
   TLSRequired                             on
 </IfModule>
diff --git a/run.sh b/run.sh
index d715fc0..1e91caa 100644
--- a/run.sh
+++ b/run.sh
@@ -22,6 +22,30 @@ cat $TLS_CERT > /etc/proftpd/cert.pem
 cat $TLS_KEY > /etc/proftpd/privkey.pem
 cat $TLS_CHAIN > /etc/proftpd/chain.pem
 
+############ CHECK CERT KEY ALGO
+
+ALGO=$(openssl x509 -in /etc/proftpd/cert.pem -text | sed -n 's/\ *Public Key Algorithm: //p')
+
+if [ "$ALGO" = "id-ecPublicKey" ] ; then
+cat > /etc/proftpd/conf.d/certificate.conf <<EOF
+<IfModule mod_tls.c>
+  TLSECCertificateFile                    /etc/proftpd/cert.pem
+  TLSECCertificateKeyFile                 /etc/proftpd/privkey.pem
+  TLSCertificateChainFile                 /etc/proftpd/chain.pem
+</IfModule>
+EOF
+fi
+
+if [ "$ALGO" = "rsaEncryption" ] ; then
+cat > /etc/proftpd/conf.d/certificate.conf <<EOF
+<IfModule mod_tls.c>
+  TLSRSACertificateFile                    /etc/proftpd/cert.pem
+  TLSRSACertificateKeyFile                 /etc/proftpd/privkey.pem
+  TLSCertificateChainFile                  /etc/proftpd/chain.pem
+</IfModule>
+EOF
+fi
+
 ############ PASSIVE PORTS
 
 PASSIVEPORTS_START=${PASSIVEPORTS_START:-50000}