###############################################################################
# http://www.proftpd.org/docs/contrib/mod_tls.html
###############################################################################
<IfModule mod_dso.c>
    # If mod_tls was built as a shared/DSO module, load it
    LoadModule mod_tls.c
</IfModule>

<IfModule mod_tls.c>
    TLSEngine                   on
    TLSLog                      /var/log/proftpd/tls.log

    # Support both SSLv3 and TLSv1, but they should not be used
    #  (known to be weak)
    TLSProtocol                 TLSv1.1 TLSv1.2

    # Are clients required to use FTP over TLS when talking to this server?
    TLSRequired                 off

    # Server's RSA certificate
    TLSRSACertificateFile       /etc/proftpd/ssl/proftpd.cert.pem
    TLSRSACertificateKeyFile    /etc/proftpd/ssl/proftpd.key.pem

    # CA (or CA chain) to verify client certs 
    #TLSCACertificateFile        /etc/proftpd/ssl/proftpd.cacert.pem

    # CA (or CA chain) to verify certification path of server cert
    TLSCertificateChainFile     /etc/proftpd/ssl/proftpd.cacert.pem

    # Authenticate clients that want to use FTP over TLS?
    TLSVerifyClient             off

    # Allow SSL/TLS renegotiations when the client requests them, but
    # do not force the renegotations.  Some clients do not support
    # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
    # clients will close the data connection, or there will be a timeout
    # on an idle data connection.
    TLSRenegotiate              none

    # Should Server request a Clients Certificate and send valid CA list ?
    TLSOptions                  NoSessionReuseRequired
</IfModule>