On a couple of Cpanel servers today I was having awful issues getting TLS/SSL to work through pureFTPD in conjunction with the mighty ASL firewall. I found the solution in the end and it was relatively painless.
So, you are reading this if you:
a. Are running Cpanel Server (WHM)
b. Using ASL Firewall from atomicorp.com
c. Using PureFTPD
d. Passive Mode Enabled
e. Want to get TLS/SSL Working (either forced or optional)
1. Open ASL GUI and add some ports.
Find the setting inside of ASL Configuration > Firewall > FW_INBOUND_TCP_SERVICES.
Add a port range, for example, 40300:40500 as below.
2. Open WHM and define TLS
In cpanel go to Service Configuration > FTP Server Configuration and change TLS Encryption support to either “Optional” or “Required”.
3. Define passive ports inside of PureFTPD Configuration
Open SSH and run the following command “pico /etc/pure-ftpd.conf”.
Scroll down to the section called PassivePortRange and add your new ports.
After adding your port range, save the file and restart the ftp service using “/usr/local/cpanel/scripts/restartsrv pureftpd”
4. Test your FTP connection using TLS/SSL
In your ftp client, ensure that passive mode is enabled and TLS/SSL is selected like below.
You should connect no problems.
You “might” be asked to verify the certificate for the server, but simply agree to it and you will be fine.