How do you configure FTP for Explicit TLS?

[GJSchaller]

I'm in the process of securing various services I use that connect back to my TrueNAS. I have several external services that FTP backups on a nightly / weekly basis to the TrueNAS - at the moment, they're using plain FTP, and I'd like to change that to TLS.

One of the backup packages I am using, Akeeba Backup, requires Explicit TLS, and will not work with Implicit TLS. However, I can't find documentation or options to determine which one TrueNAS is using when TLS is enabled.

Is there a spot I am missing that controls this, or documents it? (Or can someone advise if it's not?)

Thank you!

 

[somethingweird]

My advise - create a jail & compile/install a ftp server that support Explicit TLS.

Don't know if the freebsd ftpd support Explicit TLS.

 

[samarium]

Might be other options in the backup software too, like maybe sftp or scp or rsync over ssh?

 

[GJSchaller]

I was able to set up a VM running Virtualmin, which offers Explicit TLS (along with lots of other stuff which is useful, this was just the icing on the cake). I'd still like to know if TrueNAS offers Explicit TLS, for documentation purposes / for the record.

 

[somethingweird]

I was able to set up a VM running Virtualmin, which offers Explicit TLS (along with lots of other stuff which is useful, this was just the icing on the cake). I'd still like to know if TrueNAS offers Explicit TLS, for documentation purposes / for the record.

I think - TrueNAS installed the very basic ftpd. - Just setup a jail and install bsdftpd-ssl (I personally never used it)

 

[jgreco]

like to know if TrueNAS offers Explicit TLS,

No, because it's not part of the protocol.

requires Explicit TLS, and will not work with Implicit TLS

The FTP protocol supports neither, though several alternative FTP servers have made attempts to glom it on to their projects. The BSD distributed FTP server is a stock clean ftpd and is not suitable for "private" file sharing if you consider your contents valuable. It is best used in the same environments where stuff like http:// is acceptable, such as file distribution on the Internet. The typically recommended solution for secure FTP is either FTPS or SFTP. These are not supported by the base system but are available as ports or packages that can be installed in a jail.

I suspect that the developers have considered supplementing this at some point, but the complication comes in that once you do, you run into a bunch of only semi-compatible solutions that aren't particularly satisfying to anyone. Since there is no real standard for SSL-secured FTP, it turns into a "the nice thing about standards is there's so many to choose from" kind of problem.