/etc/ftpd.cnf File Format for TCP/IP

Purpose

Specifies the configuration parameters of the ftpd daemon to start a transport layer security (TLS) session.

Description

The /etc/ftpd.cnf file is an ASCII file that contains configuration parameters of the ftpd daemon to set up a TLS session upon receiving a TLS request from an ftp client.

The /etc/ftpd.cnf file contains the following entries that are separated by spaces, tabs, or new lines:

Table 1. /etc/ftpd.cnf file entries
Item	Description
`CA_PATH`	Specifies the path to the trusted certificate-authority file in PEM format. If the `CA_PATH` entry is specified, the client certificate is verified against the certificate authority. If the client does not provide a digital certificate, the connection fails. If the client provides a digital certificate, but the certificate is not signed by the certificate authority, the TLS session fails. If this parameter is not specified, the client does not have to provide a digital certificate.
`CERTIFICATE`	Specifies the path to a valid chain of digital-certificates files in PEM format. This entry must be specified to start a TLS session. If this entry is not specified, the ftpd server rejects all TLS requests.
`CERTIFICATE_PRIVATE_KEY`	Specifies the path to the certificate private key in PEM format. This entry must be specified to start a TLS session. If this entry is not specified, the ftpd server rejects all TLS requests.
`CIPHER_LIST`	Specifies the list that is used during the TLS session. If it is not specified, a default cipher list is used.
`CIPHERSUITE`	Specifies the cipher suite of the TLS version 1.3 (TLSv1.3) that is used for the TLS session. If the cipher suite of the TLSv1.3 is not specified, then the default TLSv1.3 cipher suite is used. For TLS version 1.2 (TLSv1.2) and earlier ciphers, the existing `CIPHER_LIST` option must be used. If `CIPHER_LIST` option is not used for TLSv1.2 and earlier ciphers, the default cipher suite of the TLSv1.3 is used.
`CRL_PATH`	Specifies the path to the certificate-revocation-list file in privacy enhanced mail (PEM) format. If the `CRL_PATH` entry is specified, the digital certificate that the client provides is verified against the certificate revocation list. If the `ftp` client is not using a digital certificate, the connection fails. If the client provides a digital certificate, but the certificate is revoked, the TLS session fails. If this parameter is not specified, the client does not have to provide a digital certificate.
`DH_PARAMETERS_DIR`	Specifies the path to a directory containing Diffie-Helman parameters in PEM format. More than one file can be included in this directory. The ftpd daemon searches for the appropriate parameter.
`DEPTH`	Verify the certificate that the `ftp` client provides in the digital certificate hierarchy, if the `CA_PATH` configuration parameter is specified. If the `DEPTH` entry is not provided, a default value of 9 is used.
`EC_CURVE_NAME`	Specifies the Elliptic Curve (EC) key curve name to be used in the Elliptic-Curve Diffie-Hellman (ECDH) key exchange protocol or the TLSv1.3 Finite Field Diffie-Hellman Ephemeral (FFDHE) group name.

Examples

The following example shows an entry in the /etc/ftpd.cnf file:

CRL_PATH                  /crl.pem
CA_PATH                   /ca.pem
CIPHER_LIST               ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
CIPHERSUITE               TLS_AES_256_GCM_SHA384
DEPTH                     2
CERTIFICATE               /cert.pem
CERTIFICATE_PRIVATE_KEY   /privatekey.pem
DH_PARAMETERS_DIR         /DH_DIR
EC_CURVE_NAME             "secp256k1"

Files

Table 2. Files
Item	Description
/usr/samples/tcpip/ftpd.cnf	Sample ftpd.cnf file