Pure-Ftpd Not Working on cPanel 56

luisamaral

Registered
May 3, 2016
3
0
1
Brasil
cPanel Access Level
Root Administrator
Hi,

After upgrading to cPanel 56.0 (build 9), I can't connect to the FTP, using TLS, with my Netbeans FTP Client.
Before this upgrade, on FTP Server Configuration, was using "Broken Clients Compatibility" = "Yes" .

I have tried change "Broken Clients Compatibility" to "No", but didn't work.

Here are the logs:

At FTP client:
- Could not generate DH Keypair
- Prime size must be multiple of 64, and can only range from 512 to 2048 (inclusive)

At server, /var/log/messages:
pure-ftpd: [WARNING] Sorry, cleartext sessions and weak ciphers are not accepted on this server.#012Please reconnect using SSL/TLS security mechanisms.

Any idea how to solve this?

Thanks
 

Metro2

Well-Known Member
May 24, 2006
553
90
178
USA
cPanel Access Level
Root Administrator
Hi luisamaral,

I know this is a long-shot and might not have anything to do with your issue, but take a look at this other thread - All users get blocked when FTP

You may need to make sure that your PassivePortRange is set correctly in /var/cpanel/conf/pureftpd/main and if you're running CSF you may need to make sure that the TCP_IN setting in your CSF Firewall Configuration has the port range entered correctly as well.
 

Karl

Well-Known Member
PartnerNOC
Aug 10, 2001
86
1
308
Hi,

After upgrading to cPanel 56.0 (build 9), I can't connect to the FTP, using TLS, with my Netbeans FTP Client.
Before this upgrade, on FTP Server Configuration, was using "Broken Clients Compatibility" = "Yes" .

I have tried change "Broken Clients Compatibility" to "No", but didn't work.

Here are the logs:

At FTP client:
- Could not generate DH Keypair
- Prime size must be multiple of 64, and can only range from 512 to 2048 (inclusive)

At server, /var/log/messages:
pure-ftpd: [WARNING] Sorry, cleartext sessions and weak ciphers are not accepted on this server.#012Please reconnect using SSL/TLS security mechanisms.

Any idea how to solve this?

Thanks
The issue is that on April 20th, cPanel generated new DH params for pure-ftpd in:

/etc/ssl/private/pure-ftpd-dhparams.pem


They generated 3072 bit params and Jave (as everywhere notes) only supports 2048 bit params.

You can verify this:

openssl dh -in /etc/ssl/private/pure-ftpd-dhparams.pem -text -noout

First line will tell you the size of the params.

The solution:

cp /etc/ssl/private/pure-ftpd-dhparams.pem /etc/ssl/private/pure-ftpd-dhparams.pem.bak
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
service pure-ftpd restart
 
  • Like
Reactions: Infopro

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,237
463
Hello,

The change stems from the following entry in the cPanel 56 change log:

Fixed case CPANEL-4968: Update pure-ftpd to 1.0.42-4.cp1156.

The case addressed an issue that resulted in Pure-ftpd failing to start when the DH parameters file was missing.

Thank you.
 

luisamaral

Registered
May 3, 2016
3
0
1
Brasil
cPanel Access Level
Root Administrator
Thanks Karl.

As @cPanelMichael said, the file did not exist.
So , I generated that using the command:

openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048

And now it works.

Solved.

The issue is that on April 20th, cPanel generated new DH params for pure-ftpd in:

/etc/ssl/private/pure-ftpd-dhparams.pem


They generated 3072 bit params and Jave (as everywhere notes) only supports 2048 bit params.

You can verify this:

openssl dh -in /etc/ssl/private/pure-ftpd-dhparams.pem -text -noout

First line will tell you the size of the params.

The solution:

cp /etc/ssl/private/pure-ftpd-dhparams.pem /etc/ssl/private/pure-ftpd-dhparams.pem.bak
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
service pure-ftpd restart
 
Last edited by a moderator: