Slow download from FTP with TLS on

[stefan-seben]

Hello, I am not sure if the topic was somehow resolved, but I am experiencing exactly the same issue as multiple users described in

#1314

Transfer times for a 10MB file:

TLSEngine off upload/download: 1 second
TLSEngine on upload: 1 second
TLSEngine on download: 2 minutes

It does not matter if I try it on local network or from outside, or client (WinSCP, Total Commander, Filezilla, AnyFTP), or client platform, it is always very slow.

I am attaching output of proftpd -V and proftpd.conf without ip address
ftpd.txt
proftpd -V output.txt

Thank you very much in advance for looking into it.
Stefan

[Castaglia]

What proftpd -V show? In particular, I'm interested in seeing which version of OpenSSL is being used in your environment. Thanks!

[stefan-seben]

Do you mean what did the command show? I attached it in file, but I can do that also here:

Compile-time Settings:
Version: 1.3.8 (stable)
Platform: FREEBSD13 (FREEBSD13_1) [FreeBSD 13.1-RELEASE-p3 amd64]
OS/Release:
NAME=FreeBSD
VERSION="13.1-RELEASE-p3"
VERSION_ID="13.1"
ID=freebsd
PRETTY_NAME="FreeBSD 13.1-RELEASE-p3"
CPE_NAME="cpe:/o:freebsd:freebsd:13.1"
Built: Sun Apr 2 2023 18:59:12 UTC
Built With:
configure '--localstatedir=/var/run' '--libexecdir=/usr/local/libexec/proftpd' '--with-pkgconfig=libdata/pkgconfig' '--sysconfdir=/usr/local/etc' '--enable-ctrls' '--enable-dso' '--disable-sendfile' '--enable-ipv6' '--disable-memcache' '--enable-nls' '--enable-pcre2' '--disable-pcre' '--disable-redis' '--with-shared=mod_ban:mod_copy:mod_ctrls_admin:mod_deflate:mod_dnsbl:mod_dynmasq:mod_exec:mod_ifsession:mod_ifversion:mod_qos:mod_quotatab:mod_quotatab_file:mod_quotatab_radius:mod_quotatab_sql:mod_radius:mod_ratio:mod_readme:mod_rewrite:mod_sftp:mod_sftp_pam:mod_sftp_sql:mod_shaper:mod_site_misc:mod_snmp:mod_sql:mod_sql_passwd:mod_tls:mod_tls_shmcache:mod_unique_id:mod_wrap2:mod_wrap2_file:mod_wrap2_sql' '--with-includes=/usr/local/include' '--with-libraries=/usr/local/lib' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd13.1' 'build_alias=amd64-portbld-freebsd13.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -fno-strict-aliasing ' 'LDFLAGS= -lpthread -fstack-protector-strong ' 'LIBS=-lssl -lcrypto -L/usr/lib' 'CPPFLAGS=-DHAVE_OPENSSL -I/usr/include -DLIBICONV_PLUG' 'CPP=cpp' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -fno-strict-aliasing -DLIBICONV_PLUG '

CFLAGS: -g2 -O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -fno-strict-aliasing -Wall -fno-omit-frame-pointer -fno-strict-aliasing -Werror=implicit-function-declaration
LDFLAGS: -Wl,-L$(top_srcdir)/lib,-L$(top_builddir)/lib -lpthread -fstack-protector-strong -rdynamic -L/usr/local/lib
LIBS: -lintl -lpcre2-posix -lpcre2-8 -lssl -lcrypto -lpam -lexecinfo -lcrypt -lssl -lcrypto -L/usr/lib -lutil -pthread

Files:
Configuration File:
/usr/local/etc/proftpd.conf
Pid File:
/var/run/proftpd.pid
Scoreboard File:
/var/run/proftpd.scoreboard
Header Directory:
/usr/local/include/proftpd
Shared Module Directory:
/usr/local/libexec/proftpd

Info:
+ Max supported UID: 4294967295
+ Max supported GID: 4294967295

Features:
- Autoshadow support
+ Controls support
+ curses support
- Developer support
+ DSO support
+ IPv6 support
+ Largefile support
- Lastlog support
- Memcache support
+ ncursesw support
+ NLS support
+ OpenSSL support (OpenSSL 1.1.1o-freebsd 3 May 2022)
- PCRE support
+ PCRE2 support
- POSIX ACL support
- Redis support
- Sendfile support
- Shadow file support
- Sodium support
+ Trace support
+ xattr support

Tunable Options:
PR_TUNABLE_BUFFER_SIZE = 1024
PR_TUNABLE_DEFAULT_RCVBUFSZ = 8192
PR_TUNABLE_DEFAULT_SNDBUFSZ = 8192
PR_TUNABLE_ENV_MAX = 2048
PR_TUNABLE_GLOBBING_MAX_MATCHES = 100000
PR_TUNABLE_GLOBBING_MAX_RECURSION = 8
PR_TUNABLE_HASH_TABLE_SIZE = 40
PR_TUNABLE_LOGIN_MAX = 256
PR_TUNABLE_NEW_POOL_SIZE = 512
PR_TUNABLE_PATH_MAX = 1024
PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80
PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30
PR_TUNABLE_SELECT_TIMEOUT = 30
PR_TUNABLE_TIMEOUTIDENT = 10
PR_TUNABLE_TIMEOUTIDLE = 600
PR_TUNABLE_TIMEOUTLINGER = 10
PR_TUNABLE_TIMEOUTLOGIN = 300
PR_TUNABLE_TIMEOUTNOXFER = 300
PR_TUNABLE_TIMEOUTSTALLED = 3600
PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10

Under features is + OpenSSL support (OpenSSL 1.1.1o-freebsd 3 May 2022)

[Castaglia]

Thank you. And to help provide perspective, can you explain what you mean by "slow"? That is, when was it "fast" (timings, ProFTPD/OpenSSL/FreeBSD versions), before it became "slow"?

I ask because usually differences in download timings occur because of a number of possibilities:

• OS/distribution updates (which come with library updates like OpenSSL)
• Server updates (like ProFTPD)
• Client updates
• Networking changes

so having some idea of what might have changed, before and after, with regard to the above factors can help me narrow down what might be involved here. Thanks!

[stefan-seben]

This is a very hard question.
Actually my speeds have been always slow - I did not get more then 1 MB/s. But I thought that the reason is the very old HDD which I was using for this data. So the only change is that I swapped the HDD with a new SSD and the speed dropped to 100 kB/s :)
But I ruled out the disk as culprit as all other speeds are OK, really just the download with TLS on is problematic.
And as I was googling this I found the issue #1314 where the symptoms are exactly the same. It seems that there is some pattern which causes it.
But if you have idea which things I should change/reconfigure, just let me know and I will try one by one.
Thank you again for your support.

[mcoelho80]

I have conducted numerous tests with various different parameters. The best result was achieved by replacing version 1.3.8 with version 1.3.7f.

The download of files in TLS remains slower, but at least at more acceptable speeds.

In comparison, I installed pure-ftpd and to my surprise, this software does not support TLS in the data channel, i.e., there's no way to compare results from pure-ftpd with proftpd.

The other program that supports TLS, vsftpd, had its latest update in 2021, so I think that proftpd is the program that is most up-to-date in terms of TLS.

There would need to be a bit more effort from the developers to identify and resolve the cause of the problem, as it only happens on download and not on upload with TLS.

[Castaglia]

There would need to be a bit more effort from the developers to identify and resolve the cause of the problem, as it only happens on download and not on upload with TLS.

I'd like to remind you that this is purely a volunteer effort, and "the developers" (just me, mostly) work on this project when we can, in our spare time (which isn't always available).

[mcoelho80]

I understand that this project is a volunteer effort and that the developers work on it in their spare time. I apologize for any inconvenience caused.

I'm more than willing to assist with testing and provide any help within my capabilities to find a solution. Please let me know how I can contribute and support your efforts. Together, we can work towards resolving the issue at hand.

[Castaglia]

What does the command proftpd -V show, when you use the 1.3.7f version? Can you provide a script that I can use to try to reproduce this behavior locally?

[mcoelho80]

# /opt/proftpd/cur/sbin/proftpd -V
Compile-time Settings:
  Version: 1.3.7f (maint)
  Platform: FREEBSD13 (FREEBSD13_2) [FreeBSD 13.2-RELEASE amd64]
  Built: Tue Jun 20 2023 14:37:23 -03
  Built With:
    configure  '--prefix=/opt/proftpd/1.3.7f' '--with-modules=mod_vroot:mod_ban:mod_tls' '--enable-ctrls' '--enable-openssl' '--with-libraries=/usr/local/lib' '--with-includes=/usr/local/include' '--disable-sendfile' '--localstatedir=/var/run/proftpd' 'CFLAGS=-DBAN_LIST_MAXSZ=2048'

  CFLAGS: -g2 -DBAN_LIST_MAXSZ=2048 -Wall -fno-omit-frame-pointer -fno-strict-aliasing
  LDFLAGS: -L$(top_srcdir)/lib -L$(top_builddir)/lib  -rdynamic -L/usr/local/lib
  LIBS:  -lssl -lcrypto -lssl -lcrypto  -lpam -lsupp -lexecinfo -lcrypt  -lutil -pthread

  Files:
    Configuration File:
      /opt/proftpd/1.3.7f/etc/proftpd.conf
    Pid File:
      /var/run/proftpd/proftpd.pid
    Scoreboard File:
      /var/run/proftpd/proftpd.scoreboard

  Info:
    + Max supported UID: 4294967295
    + Max supported GID: 4294967295

  Features:
    - Autoshadow support
    + Controls support
    + curses support
    - Developer support
    - DSO support
    + IPv6 support
    + Largefile support
    - Lastlog support
    - Memcache support
    + ncurses support
    - NLS support
    + OpenSSL support (OpenSSL 1.1.1u  30 May 2023)
    - PCRE support
    - POSIX ACL support
    - Redis support
    - Sendfile support
    - Shadow file support
    - Sodium support
    + Trace support
    + xattr support

  Tunable Options:
    PR_TUNABLE_BUFFER_SIZE = 1024
    PR_TUNABLE_DEFAULT_RCVBUFSZ = 8192
    PR_TUNABLE_DEFAULT_SNDBUFSZ = 8192
    PR_TUNABLE_ENV_MAX = 2048
    PR_TUNABLE_GLOBBING_MAX_MATCHES = 100000
    PR_TUNABLE_GLOBBING_MAX_RECURSION = 8
    PR_TUNABLE_HASH_TABLE_SIZE = 40
    PR_TUNABLE_LOGIN_MAX = 256
    PR_TUNABLE_NEW_POOL_SIZE = 512
    PR_TUNABLE_PATH_MAX = 1024
    PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80
    PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30
    PR_TUNABLE_SELECT_TIMEOUT = 30
    PR_TUNABLE_TIMEOUTIDENT = 10
    PR_TUNABLE_TIMEOUTIDLE = 600
    PR_TUNABLE_TIMEOUTLINGER = 10
    PR_TUNABLE_TIMEOUTLOGIN = 300
    PR_TUNABLE_TIMEOUTNOXFER = 300
    PR_TUNABLE_TIMEOUTSTALLED = 3600
    PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10

Here is my proftpd.conf:

ServerIdent on "FTP Server"
ServerName "FTP Server"
ServerType standalone
DefaultServer on
DefaultRoot ~ !wheel
DefaultChdir www !wheel
AuthPAM off
ShowSymLinks off
TimeoutIdle 300
TimeoutNoTransfer 180
TimeoutLogin 120
TimeoutStalled 60
UseReverseDNS off
WtmpLog off
TimesGMT off
ScoreboardFile /path/to/proftpd.scoreboard
Port 21
UseIPv6 off
MaxClients 100
MaxClientsPerHost 100
MaxClientsPerUser 100
ListOptions -a
MaxLoginAttempts 1
Umask 027 027
MaxInstances 100
User nobody
Group nogroup
AllowOverwrite on
ExtendedLog /path/to/ftp.log read,write
TLSCryptoDevice all
TLSSessionCache internal: 1800
TLSDHParamFile /path/to/dhparams.pem
TLSECDHCurve secp521r1:prime256v1
TLSCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA
TLSServerCipherPreference on
SocketOptions rcvbuf 4194304 sndbuf 4194304 keepalive on

<Global>
TLSRenegotiate none
TLSCryptoDevice all
TLSDHParamFile /path/to/dhparams.pem
TLSECDHCurve secp521r1:prime256v1
</Global>

<IfModule mod_ban.c>
BanEngine on
BanTable /path/to/proftpd.table
BanLog /path/to/ban.log
BanOnEvent MaxLoginAttempts 3/00:01:00 00:05:00 "Too many wrong passwords. Try again in 5 minutes"
BanControlsACLs all allow user root
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine on
ControlsACLs all allow user root
ControlsMaxClients 5
ControlsInterval 5
ControlsSocketOwner root wheel
ControlsSocketACL allow user root
</IfModule>

<IfModule mod_tls.c>
TLSEngine on
TLSProtocol ALL -SSLv3
TLSRequired off
TLSRSACertificateFile /path/to/file.pem
TLSRSACertificateKeyFile /path/to/file.key
TLSVerifyClient off
TLSLog /path/to/tls.log
TLSRenegotiate none
TLSCryptoDevice all
TLSDHParamFile /path/to/dhparams.pem
TLSECDHCurve secp521r1:prime256v1

<VirtualHost %IP% %IP2%>
Port 990
TLSEngine on
TLSOptions UseImplicitSSL
TLSProtocol ALL -SSLv3
TLSRequired on
TLSRSACertificateFile /path/to/file.pem
TLSRSACertificateKeyFile /path/to/file.key
TLSVerifyClient off
TLSRenegotiate none
TLSCryptoDevice all
TLSDHParamFile /path/to/dhparams.pem
TLSECDHCurve secp521r1:prime256v1

DefaultChdir www !wheel
AllowOverwrite on

</VirtualHost>

</IfModule>

Important: I also activated AESNI and added cryptodev_load="YES" to /boot/loader.conf.

[mcoelho80]

SocketOptions rcvbuf 8388608 sndbuf 8388608 keepalive on

With the above configuration I could download files at ~40MB/second.

[stefan-seben]

SocketOptions rcvbuf 8388608 sndbuf 8388608 keepalive on

With the above configuration I could download files at ~40MB/second.

I tried this and it did not improve. I saw by multiple users that the problem occurs on FreeBSD/TrueNAS operating system. It may somehow be a culprit. I will try to downgrade proftpd and upgrade openSSL to get more similar environment to @mcoelho80.
And @Castaglia thank you for all the work!

[Castaglia]

I'm not sure if it'd be possible in your environments, but another good comparison to try would be ProFTPD on Linux. That might help provide more data on how much the underlying OS (and its libraries, networking, etc) might play into this situation.

[stefan-seben]

I'm not sure if it'd be possible in your environments, but another good comparison to try would be ProFTPD on Linux. That might help provide more data on how much the underlying OS (and its libraries, networking, etc) might play into this situation.

OK, I will try this.

[Castaglia]

Hmm. Since you mention a NAS as well, I wonder if the filesystem hosting the files being downloaded (i.e. mounted from the NAS or not) factors in as well. That is, if a large file not on the NAS was being downloaded (using ProFTPD on FreeBSD), does the download speed change?

[stefan-seben]

Hmm. Since you mention a NAS as well, I wonder if the filesystem hosting the files being downloaded (i.e. mounted from the NAS or not) factors in as well. That is, if a large file not on the NAS was being downloaded (using ProFTPD on FreeBSD), does the download speed change?

I am actually not using NAS. I just mentioned TrueNAS, because I saw it's users also complaining about slow speed and TrueNAS OS is based on FreeBSD.
But it is true that I am actually using ftp folder which is not in root filesystem. I am going to change that right away and will let know.

[Castaglia]

Hmm. Since you mention a NAS as well, I wonder if the filesystem hosting the files being downloaded (i.e. mounted from the NAS or not) factors in as well. That is, if a large file not on the NAS was being downloaded (using ProFTPD on FreeBSD), does the download speed change?

I am actually not using NAS. I just mentioned TrueNAS, because I saw it's users also complaining about slow speed and TrueNAS OS is based on FreeBSD. But it is true that I am actually using ftp folder which is not in root filesystem. I am going to change that right away and will let know.

Ah, I see. Thanks for the clarification!

[mcoelho80]

Hmm. Since you mention a NAS as well, I wonder if the filesystem hosting the files being downloaded (i.e. mounted from the NAS or not) factors in as well. That is, if a large file not on the NAS was being downloaded (using ProFTPD on FreeBSD), does the download speed change?

In my case, the files are served from an SSD disk. In the tests conducted on a local network, the upload speed reached ~112MB/s, while the download speed was slightly over 40MB/s.

However, I was only able to achieve these download speeds after making modifications. Specifically, I adjusted the SocketOptions in the proftpd.conf file and added devcrypto_load="YES" to /boot/loader.conf.

[stefan-seben]

Hmm. Since you mention a NAS as well, I wonder if the filesystem hosting the files being downloaded (i.e. mounted from the NAS or not) factors in as well. That is, if a large file not on the NAS was being downloaded (using ProFTPD on FreeBSD), does the download speed change?

In my case, the files are served from an SSD disk. In the tests conducted on a local network, the upload speed reached ~112MB/s, while the download speed was slightly over 40MB/s.

However, I was only able to achieve these download speeds after making modifications. Specifically, I adjusted the SocketOptions in the proftpd.conf file and added devcrypto_load="YES" to /boot/loader.conf.

Yes, this is the area. With these changes I was able to get download rate from around 100 kB to 3 MB per second. I am not able to set buffer size to more than 1600000, then I get "no buffer space available", I need to look at it deeper.

However, it still significantly slower than upload and also download without TLS.

For now though, thank you!

[mcoelho80]

@Castaglia
Nginx supports KTLS, which enables "sendfile()" over TLS. This approach may be beneficial for improving download speeds in proftpd.
You can learn more about it here: https://www.nginx.com/blog/improving-nginx-performance-with-kernel-tls/

[Castaglia]

@Castaglia Nginx supports KTLS, which enables "sendfile()" over TLS. This approach may be beneficial for improving download speeds in proftpd. You can learn more about it here: https://www.nginx.com/blog/improving-nginx-performance-with-kernel-tls/

Thanks for the reference.

Before looking into that too much, though, I'm hoping we can track down the bottlenecks with your existing setup, so that we know we're tweaking/changing the areas to have the most effect. Performance tuning of file transfers involves quite a few factors, which is why it can take a frustratingly long time to figure out just what the bottlenecks are, as it covers:

• the filesystem I/O performance on the server end, for e.g. how fast can the server read chunks of data from the filesystem
• the network I/O performance on the server end, for e.g. how quickly can the server write chunks of data to the network
• the multiple framing/encoding transformations of the network protocols involved (TCP, FTP, TLS)
• the network I/O performance on the client end, for e.g. how quickly can the client read chunks of data from the network
• the filesystem I/O performance on the client end, for e.g. how quickly can the client write chunks of data to its filesystem

It may be that tweaking socket buffer sizes and TLS ciphersuites helps -- or may not. I've seen cases where either the server network interface was saturated -- or the client network interface was saturated. Or cases where it was the client-side filesystem (e.g. writing a downloaded to an NFS mount which was slow) which caused the perception of "slow downloads".

I'm not exactly sure of what the best way is to measure all of the above factors in your case; I'm just trying to point out all of the places we'll want to look, to make sure that we are making changes in the right areas, to have the most impact.

Now, what helps is your earlier observation:

TLSEngine off upload/download: 1 second
TLSEngine on upload: 1 second
TLSEngine on download: 2 minutes

Using the same client, same server, same file, the above does rule out a lot of the factors as being the most likely bottlenecks.

You mention:

It does not matter if I try it on local network or from outside

By "local network", do you mean you have the client running on the same host as the server, i.e. connecting to localhost/127.0.0.1? I ask because I'm wondering if there are any network routers or firewalls in the network path, between server and client, that might also be a factor. Even things like iptables/pf or any other kind of packet filtering on the server host might unexpectedly add latency.

[Castaglia]

Per #1314 (comment), I'm re-examining code differences between 1.3.7e and 1.3.8. One that pertains to FTPS is the support for TLSv1.3. In your downloads, can you see which TLS protocol version (and ciphersuite) is being used? If you add TLSOptions EnableDiags, it should enable a very detailed/verbose logging, to the TLSLog, of protocol-level TLS messages -- and for these slow downloads, that extra logging may help provide clues/data as well.

[stefan-seben]

Hi, I apologize for longer not writing as the solution with buffer was "somewhat" satisfying. However only on one client which I was regularly using.
Today I had again a little bit of time to play around. The only way where I could have reliably fast encrypted download was to downgrade ProFTPD to version 1.3.6d. I can live with it, although it is not an ideal solution.
Thank you again!

[Antorell]

Same issue here, Downloading caps at 400KB/s and uploading caps around 3MB/s when TLS is enabled. It only happens with Proftpd, while Proftpd is crawling slow with TLS active, I can download from Nginx or vsftpd with TLS at 110MB/s 1 thread without problem. The FTP client doesn't matter, FileZilla, FlashFXP or CoreFTP are all crawling slow with any of their internal buffer settings (if available) until I manually set Proftpd's buffers with SocketOptions. I use TLSv1.2 not TLSv1.3.

Also, Proftpd doesn't need huge SocketOptions buffers to be manually set to fix the issue, setting the buffers at the same value as the PR_TUNABLE_DEFAULT_XXXBUFSZ defaults (8192) fixes it.

SocketOptions sndbuf 8192 rcvbuf 8192
Download: File.dat 178.71 MB in 3 seconds (54.37 MB/s)
Upload: File.dat 178.71 MB in 3 seconds (56.48 MB/s)

Compile-time Settings:
Version: 1.3.8 (stable)
Platform: LINUX [Linux 6.4.10-x64v1-xanmod1 x86_64]
OS/Release:
PRETTY_NAME="Ubuntu 23.04"
NAME="Ubuntu"
VERSION_ID="23.04"
VERSION="23.04 (Lunar Lobster)"
VERSION_CODENAME=lunar
ID=ubuntu
ID_LIKE=debian
UBUNTU_CODENAME=lunar
Built: Tue Mar 14 2023 09:16:31 UTC
Built With:
configure '--infodir=/share/info' '--disable-option-checking' '--disable-silent-rules' '--libdir=/lib/x86_64-linux-gnu' '--disable-dependency-tracking' '--prefix=/usr' '--with-pkgconfig=lib/pkgconfig' '--with-includes=/usr/include/postgresql:/usr/include/mysql' '--mandir=/usr/share/man' '--sysconfdir=/etc/proftpd' '--localstatedir=/run' '--libexecdir=/usr/lib/proftpd' '--enable-sendfile' '--enable-facl' '--enable-dso' '--enable-autoshadow' '--enable-ctrls' '--enable-openssl' '--enable-ipv6' '--enable-nls' '--enable-memcache' '--with-lastlog=/var/log/lastlog' '--enable-pcre2' '--disable-strip' '--enable-redis' '--build' 'x86_64-linux-gnu' '--with-shared=mod_unique_id:mod_site_misc:mod_load:mod_ban:mod_quotatab:mod_sql:mod_sql_mysql:mod_sql_postgres:mod_sql_sqlite:mod_sql_odbc:mod_dynmasq:mod_quotatab_sql:mod_ldap:mod_quotatab_ldap:mod_ratio:mod_tls:mod_rewrite:mod_radius:mod_wrap:mod_wrap2:mod_wrap2_file:mod_wrap2_sql:mod_quotatab_file:mod_quotatab_radius:mod_facl:mod_ctrls_admin:mod_copy:mod_deflate:mod_ifversion:mod_geoip:mod_exec:mod_sftp:mod_sftp_pam:mod_sftp_sql:mod_shaper:mod_sql_passwd:mod_ifsession:mod_auth_otp:mod_tls_redis:mod_wrap2_redis:mod_redis:mod_memcache:mod_tls_memcache:mod_readme:mod_snmp:mod_digest:mod_ident:mod_log_forensic:mod_qos:mod_statcache:mod_tls_fscache:mod_tls_shmcache:mod_dnsbl' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/proftpd-dfsg-uU8V7h/proftpd-dfsg-1.3.8+dfsg=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fdebug-prefix-map=/build/proftpd-dfsg-uU8V7h/proftpd-dfsg-1.3.8+dfsg=/usr/src/proftpd-dfsg-1.3.8+dfsg-4' 'LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -ffile-prefix-map=/build/proftpd-dfsg-uU8V7h/proftpd-dfsg-1.3.8+dfsg=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fdebug-prefix-map=/build/proftpd-dfsg-uU8V7h/proftpd-dfsg-1.3.8+dfsg=/usr/src/proftpd-dfsg-1.3.8+dfsg-4'

CFLAGS: -g2 -g -O2 -ffile-prefix-map=/build/proftpd-dfsg-uU8V7h/proftpd-dfsg-1.3.8+dfsg=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fdebug-prefix-map=/build/proftpd-dfsg-uU8V7h/proftpd-dfsg-1.3.8+dfsg=/usr/src/proftpd-dfsg-1.3.8+dfsg-4 -Wall -fno-omit-frame-pointer -fno-strict-aliasing -Werror=implicit-function-declaration
LDFLAGS: -Wl,-L$(top_srcdir)/lib,-L$(top_builddir)/lib -Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now -rdynamic -L/usr/lib/x86_64-linux-gnu -L/usr/lib/x86_64-linux-gnu
LIBS: -lacl -lpcre2-posix -lpcre2-8 -lssl -lcrypto -lsodium -lcap -lpam -lattr -lidn2 -lnsl -lresolv -lresolv -lcrypt -lhiredis -lmemcachedutil -lmemcached -pthread

Files:
Configuration File:
/etc/proftpd/proftpd.conf
Pid File:
/run/proftpd.pid
Scoreboard File:
/run/proftpd.scoreboard
Header Directory:
/usr/include/proftpd
Shared Module Directory:
/usr/lib/proftpd

Info:
+ Max supported UID: 4294967295
+ Max supported GID: 4294967295

Features:
+ Autoshadow support
+ Controls support
+ curses support
- Developer support
+ DSO support
+ IPv6 support
+ Largefile support
+ Lastlog support
+ Memcache support
+ ncursesw support
+ NLS support
+ OpenSSL support (OpenSSL 3.0.8 7 Feb 2023)
- PCRE support
+ PCRE2 support
+ POSIX ACL support
+ Redis support
+ Sendfile support
+ Shadow file support
+ Sodium support
+ Trace support
+ xattr support

Tunable Options:
PR_TUNABLE_BUFFER_SIZE = 1024
PR_TUNABLE_DEFAULT_RCVBUFSZ = 8192
PR_TUNABLE_DEFAULT_SNDBUFSZ = 8192
PR_TUNABLE_ENV_MAX = 2048
PR_TUNABLE_GLOBBING_MAX_MATCHES = 100000
PR_TUNABLE_GLOBBING_MAX_RECURSION = 8
PR_TUNABLE_HASH_TABLE_SIZE = 40
PR_TUNABLE_LOGIN_MAX = 256
PR_TUNABLE_NEW_POOL_SIZE = 512
PR_TUNABLE_PATH_MAX = 4096
PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80
PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30
PR_TUNABLE_SELECT_TIMEOUT = 30
PR_TUNABLE_TIMEOUTIDENT = 10
PR_TUNABLE_TIMEOUTIDLE = 600
PR_TUNABLE_TIMEOUTLINGER = 10
PR_TUNABLE_TIMEOUTLOGIN = 300
PR_TUNABLE_TIMEOUTNOXFER = 300
PR_TUNABLE_TIMEOUTSTALLED = 3600
PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10

Port                12345
UseIPv6             on
DeferWelcome	    on
UseSendfile         on
WtmpLog             off
UseReverseDNS       off
RootLogin           on
DefaultRoot         ~ !root
RootRevoke          on
TimeoutLogin        20
MaxLoginAttempts    3
AllowOverride       off
AllowOverwrite      on
Protocols           ftps
ProcessTitles       terse
AuthAliasOnly       on
UserAlias         
TimesGMT            off
SetEnv              TZ CEST
ListOptions         +R strict

SocketOptions sndbuf 16384 rcvbuf 16384

<IfModule mod_tls.c>
TLSEngine                  on
TLSProtocol                TLSv1.2
TLSECCertificateFile       
TLSECCertificateKeyFile   

TLSOptions NoSessionReuseRequired
TLSVerifyClient            off
TLSRequired                auth
RequireValidShell          no
</IfModule>

edit: clarifications

[Castaglia]

If you're able to build ProFTPD from source, I recommend trying out the latest code in the master branch. I've made a couple of recent changes that may help in this regard:

• c3f25b1
• 5d16e0c

With these changes, you may no longer need (or want) the SocketOptions settings to set the send/receive buffer sizes, as the above changes, in the auto-detection of good buffer sizes, may improve things.

[Castaglia]

In addition, I've also filed #1729 to track support for KTLS via SSL_sendfile usage.