Pure-Ftpd Not Working on cPanel 56

[luisamaral]

Hi,

After upgrading to cPanel 56.0 (build 9), I can't connect to the FTP, using TLS, with my Netbeans FTP Client.
Before this upgrade, on FTP Server Configuration, was using "Broken Clients Compatibility" = "Yes" .

I have tried change "Broken Clients Compatibility" to "No", but didn't work.

Here are the logs:

At FTP client:
- Could not generate DH Keypair
- Prime size must be multiple of 64, and can only range from 512 to 2048 (inclusive)

At server, /var/log/messages:
pure-ftpd: [WARNING] Sorry, cleartext sessions and weak ciphers are not accepted on this server.#012Please reconnect using SSL/TLS security mechanisms.

Any idea how to solve this?

Thanks

 

[Metro2]

Hi luisamaral,

I know this is a long-shot and might not have anything to do with your issue, but take a look at this other thread - All users get blocked when FTP

You may need to make sure that your PassivePortRange is set correctly in /var/cpanel/conf/pureftpd/main and if you're running CSF you may need to make sure that the TCP_IN setting in your CSF Firewall Configuration has the port range entered correctly as well.

 

[Karl]

Hi,

After upgrading to cPanel 56.0 (build 9), I can't connect to the FTP, using TLS, with my Netbeans FTP Client.
Before this upgrade, on FTP Server Configuration, was using "Broken Clients Compatibility" = "Yes" .

I have tried change "Broken Clients Compatibility" to "No", but didn't work.

Here are the logs:

At FTP client:
- Could not generate DH Keypair
- Prime size must be multiple of 64, and can only range from 512 to 2048 (inclusive)

At server, /var/log/messages:
pure-ftpd: [WARNING] Sorry, cleartext sessions and weak ciphers are not accepted on this server.#012Please reconnect using SSL/TLS security mechanisms.

Any idea how to solve this?

Thanks

The issue is that on April 20th, cPanel generated new DH params for pure-ftpd in:

/etc/ssl/private/pure-ftpd-dhparams.pem

They generated 3072 bit params and Jave (as everywhere notes) only supports 2048 bit params.

You can verify this:

openssl dh -in /etc/ssl/private/pure-ftpd-dhparams.pem -text -noout

First line will tell you the size of the params.

The solution:

cp /etc/ssl/private/pure-ftpd-dhparams.pem /etc/ssl/private/pure-ftpd-dhparams.pem.bak
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
service pure-ftpd restart

 

[cPanelMichael]

Hello,

The change stems from the following entry in the cPanel 56 change log:

Fixed case CPANEL-4968: Update pure-ftpd to 1.0.42-4.cp1156.

The case addressed an issue that resulted in Pure-ftpd failing to start when the DH parameters file was missing.

Thank you.

 

[luisamaral]

Thanks Karl.

As @cPanelMichael said, the file did not exist.
So , I generated that using the command:

openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048

And now it works.

Solved.

The issue is that on April 20th, cPanel generated new DH params for pure-ftpd in:

/etc/ssl/private/pure-ftpd-dhparams.pem

They generated 3072 bit params and Jave (as everywhere notes) only supports 2048 bit params.

You can verify this:

openssl dh -in /etc/ssl/private/pure-ftpd-dhparams.pem -text -noout

First line will tell you the size of the params.

The solution:

cp /etc/ssl/private/pure-ftpd-dhparams.pem /etc/ssl/private/pure-ftpd-dhparams.pem.bak
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
service pure-ftpd restart