/etc/ftpd.cnf File Format for TCP/IP

Purpose

Specifies the configuration parameters of the ftpd daemon to start a transport layer security (TLS) session.

Description

The /etc/ftpd.cnf file is an ASCII file that contains configuration parameters of the ftpd daemon to set up a TLS session upon receiving a TLS request from an ftp client.

The /etc/ftpd.cnf file contains the following entries separated by spaces, tabs, or new lines:

Item Description
CRL_PATH Specifies the path to the certificate-revocation-list file in privacy enhanced mail (PEM) format. If the CRL_PATH entry is specified, the digital certificate that the client provides is verified against the certificate revocation list. If the ftp client is not using a digital certificate, the connection fails. If the client provides a digital certificate, but the certificate has been revoked, the TLS session fails. If this parameter is not specified, the client does not have to provide a digital certificate.
CA_PATH Specifies the path to the trusted certificate-authority file in PEM format. If the CA_PATH entry is specified, the client certificate is verified against the certificate authority. If the client does not provide a digital certificate, the connection fails. If the client provides a digital certificate, but the certificate authority has not signed the certificate, the TLS session fails. If this parameter is not specified, the client does not have to provide a digital certificate.
CIPHER_LIST Specifies the list that is used during the TLS session. If it is not specified, a default cipher list is used.
DEPTH Verify the certificate that the ftp client provides in the digital certificate hierarchy, if the CA_PATH configuration parameter has been specified. If the DEPTH entry is not provided, a default value of 9 is used.
CERTIFICATE Specifies the path to a valid chain of digital-certificates files in PEM format. This entry must be specified to start a TLS session. If this entry is not specified, the ftpd server rejects all TLS requests.
CERTIFICATE_PRIVATE_KEY Specifies the path to the certificate private key in PEM format. This entry must be specified to start a TLS session. If this entry is not specified, the ftpd server rejects all TLS requests.
DH_PARAMETERS_DIR Specifies the path to a directory containing Diffie-Helman parameters in PEM format. More than one file can be included in this directory. The ftpd daemon searches for the appropriate parameter.

Examples

The following is an example of an entry in the /etc/ftpd.cnf file:

CRL_PATH                  /crl.pem
CA_PATH                   /ca.pem
CIPHER_LIST               ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
DEPTH                     2
CERTIFICATE               /cert.pem
CERTIFICATE_PRIVATE_KEY   /privatekey.pem
DH_PARAMETERS_DIR         /DH_DIR

Files

Item Description
/usr/samples/tcpip/ftpd.cnf Sample ftpd.cnf file