ProFTPd 1.3.0a (internal server only!) on which I'm testing mod_tls. I
have the following configuration:

TLSEngine on
TLSLog /var/log/tls.log

#TLSProtocol TLSv1
TLSProtocol SSLv23

# Require clients to use TLS?
TLSRequired data

# Only accept self-signed certificates.
TLSVerifyDepth 0

# Certificate locations.
TLSRSACertificateFile /etc/proftpd/server.crt
TLSRSACertificateKeyFile /etc/proftpd/server.key

# Certificate Authority (CA) that the server trusts.
TLSCACertificateFile /etc/proftpd/ca.crt

# Authenticate clients that want to use TLS?
TLSVerifyClient on

And have generated client side certificates for use with lftp with the
following command:

openssl req -new -x509 -days 3650 -nodes -out client.cert.pem -keyout client.key.pem

Obviously this is self-signed.

Configured to use by lftp:

set ssl:key-file "/path/to/gm_ftp/client.key.pem"
set ssl:cert-file "/path/to/gm_ftp/client.cert.pem"
set ssl:verify-certificate no

However, when I attempt to connect to my server, I get the following on
the server side in the TLS log:

Jan 15 17:13:14 mod_tls/2.1.1[4001]: TLS/TLS-C requested, starting TLS handshake
Jan 15 17:13:15 mod_tls/2.1.1[4001]: error: unable to verify certificate at depth 0
Jan 15 17:13:15 mod_tls/2.1.1[4001]: error: cert subject: C = US, ST = California, L = Redlands, O = ESRI, OU = Systems, CN =, emailAddress =
Jan 15 17:13:15 mod_tls/2.1.1[4001]: error: cert issuer: C = US, ST = California, L = Redlands, O = ESRI, OU = Systems, CN =, emailAddress =
Jan 15 17:13:15 mod_tls/2.1.1[4001]: client certificate failed verification: self signed certificate
Jan 15 17:13:15 mod_tls/2.1.1[4001]: unable to accept TLS connection:
(1) error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Jan 15 17:13:15 mod_tls/2.1.1[4001]: TLS/TLS-C negotiation failed on control channel

And on the client (lftp) side:

---- Connecting to server (xx.xx.xx.xx) port 21
<--- 220 xx.xx.xx.xx FTP server ready
---> FEAT
<--- 211-Features:
<--- MDTM
<--- SIZE
<--- PBSZ
<--- PROT
<--- 211 End
<--- 234 AUTH TLS successful
---> USER xxxxxxxx
Certificate depth: 0; subject: /C=US/ST=California/L=Redlands/O=ESRI/OU=Systems/; issuer: /C=US/ST=California/L=Redlands/O=ESRI/OU=Systems/
WARNING: Certificate verification: self signed certificate
WARNING: Certificate verification: certificate signature failure
**** SSL_connect: tlsv1 alert unknown ca
---- Closing control socket

And the connection fails. So if I'm reading the logs correctly, it
seems that ProFTPd is not liking my self-signed certificate even though
I have TLSVerifyDepth set at 0.

I have tried setting this at 1, 9 and 10 with no change.

Can anyone spot what I'm doing wrong?


This email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
ProFTPD Users List
Unsubscribe problems?