Arch Linux User Repository

spapanik21, thanks for your suggestion. I've changed the location for the pidfile. The libsodium problem should disappear when you update/reinstall the pure-ftpd package. kleph's info about broken clients is now mentioned at install time.

I noticed that the default value for the PIDFile is /run/pure-ftpd/pure-ftpd.pid, both in pure-ftpd.service and pure-ftpd.conf. The problem with that is that /run/pure-ftpd does not survive the restart and the service cannot restart. The solution I am using is to change the location in both this places, but this does not survive the updates. Furthermore, the last update broke it for me as I was getting the error: "error while loading shared libraries: libsodium.so.13: cannot open shared object file: No such file or directory" when I was using the pure-pw.

Of course the FQDN of the host may not always be the desired one, especially if the server is in a DMZ, but exactly for cases like this a note how to re-create the certificate is displayed, as was suggested by you. Unfortunately, there is not much documentation about the BrokenClientsCompatibility parameter, but the decision to set it to "no" by default in the latest release seems to be security related. Therefore, I think it's better to follow upstream and leave it untouched, as very few clients are affected. In the next release I'll add a note about broken clients and how to enable the parameter in the config file.

Just for the reference, I had trouble with a few FTP clients since 1.0.42. Andftp and Total Commander, to name them, but filezilla and lftp are OK. The first connection was good, logs were OK, but clients did not see anything in the directory. Total commander did not say anything, and andftp complained about "connection closed unexpectedly". It was for the data connection, that's why ls did not show a thing. I found that enabling "BrokenClientsCompatibility" fixed the problem. As you're already modifying some parts of the defaults, maybe also adding this could be useful. Extract of the upstream's changelog for the version 1.0.42 : - The ONLY_ACCEPT_REUSED_SSL_SESSIONS switch (introduced in Pure-FTPd 1.0.22 circa 2009, but disabled back then due to client compatibility concerns) is now on by default, except in broken clients compatibility mode.

Thanks for the fast answer and fast integration :) I do not face the FQDN problem, but that's may be due to the my config. Pure's host is resolved as a FQDN for the local zone and I set the CN of my certificate (delivered by a local CA) to the FQDN of my external zone. But as the forward and the reverse are resolved by a local DNS, I may miss the issue.

Thanks kleph, I totally agree. I've added an install script similar to your suggestions, but instead of only telling the user how to generate a self-signed certificate, it also generates one with matching CN=FQDN at install time if missing. (Otherwise the TLS-enabled ftp service would refuse to start.) Updated to 1.0.42-2.

Hi, The install conflicts if you already have certificates and DH params files. Wouldn't it be better to check if certificates and DH params files already exists and generate new files rather that providing secret keys and always the same dh params with the package ? That way the user can provide its own Common Name to match his FQDN. I try it in my local variant built with --ldap - removed the line "install -Dm640 -t ${pkgdir}/etc/ssl/private/ ${srcdir}/pure-ftpd.pem ${srcdir}/pure-ftpd-dhparams.pem" from the PKGBUILD - and added a pure-ftpd.install : post_install(){ if [ ! -e /etc/ssl/private/pure-ftpd-dhparams.pem ];then echo "Generating new DH params" openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048 chmod 0600 /etc/ssl/private/pure-ftpd.pem fi if [ ! -e /etc/ssl/private/pure-ftpd.pem ]; then echo "You need to place a certificate and its key in /etc/ssl/private/pure-ftpd.pem to start TLS enabled pure-ftpd" echo "You can generate a self signed certificate with the following command :" echo "openssl req -x509 -nodes -newkey rsa:2048 -sha256 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem" echo echo "Note: The Common Name (CN) should be the same as the FQDN of the server." echo "Note2: Remember to chmod 0600 the generated certificate." fi }

Taken over maintainership, overall improvements, updated to 1.0.41.