2

I'm trying to setup the following environment:

There is one single FTP Server (Debian 9, proftpd 1.3.6-4), reachable under 1.2.3.4. Two domains, which are pointing to that IP Address

  • example1.com -> 1.2.3.4
  • example2.com -> 1.2.3.4

Each of these domains has its own certificate.

How can I serve both certificates with proftpd?

According to this (ProFTPd: Multiple Domain VirtualHosts on one IP address) it should be possible.

So my config would look like:

<VirtualHost example1.com>
    TLSEngine                               on
    TLSLog                                  /var/log/proftpd/tls.log
    TLSProtocol                             SSLv23
    TLSOptions                              NoCertRequest EnableDiags NoSessionReuseRequired
    TLSVerifyClient                         off
    TLSRSACertificateFile                   /etc/apache2/ssl/cert-example1.com.pem
    TLSRSACertificateKeyFile                /etc/apache2/ssl/privkey-example1.com.pem
</VirtualHost>

<VirtualHost example2.com>
    TLSEngine                               on
    TLSLog                                  /var/log/proftpd/tls.log
    TLSProtocol                             SSLv23
    TLSOptions                              NoCertRequest EnableDiags NoSessionReuseRequired
    TLSVerifyClient                         off
    TLSRSACertificateFile                   /etc/apache2/ssl/cert-example2.com.pem
    TLSRSACertificateKeyFile                /etc/apache2/ssl/privkey-example2.com.pem
</VirtualHost>

Unfortunately, none of them work. It only works for one domain if I put the IP address instead of the dns name in it.

I turned on debugging to see what's happening. I always get a no matching vhost found for 1.2.3.4 message

Vince
  • 183

1 Answers1

2

For Windows: try WinSCP, it support that Feature since a while.

I don't know any other client that implemts that feature. I assume it's just that FTP(S) is quite out of scope nowadays as implementation of that feature should be mor or less a no-brainer in most applications.

Edit: include some explanation why this feature depends on client support, as requested by @RalfFriedl:

For the server to be able to deliver different SSL certificate to client depending on the hostname the client expects, it needs to know which hostname the client expects.
The TCP/IP connection itself which arrives at the server does not include this information (it only works with the numeric IP addresses and TCP port numbers).
So if for same address and port the server wants to send different certificates depending on what the client expects, the client needs to supply the information.

For the case of FTP(E)S namebased virtual hosts, the client sends a HOST command with the expected hostname as parameter before he initiates the SSL negotiation, to make the server able to know which hostname the client want to talk to before initiating the promotion of the connection to SSL during which the certifiacte is send to client.
(This mechanism could of course also be used without SSL just for the server to deliver different content or such based on the target hostname. I don't know whether ProFTPd does this and this is not the question here.)

EOhm
  • 835