FTP: improve TLS certificate authentication

For each user you can now configure: - TLS certificate auth - TLS certificate auth and password - Password auth For TLS auth, the certificate common name must match the name provided using the "USER" FTP command
2025-12-07 06:40:54 +03:00 · 2021-02-28 12:10:40 +01:00
parent b566457e12
commit a6e36e7cad
28 changed files with 1051 additions and 173 deletions
--- a/ftpd/ftpd_test.go
+++ b/ftpd/ftpd_test.go
@@ -67,8 +67,161 @@ UM2lmBLIXpGgBwYFK4EEACKhZANiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVq
 WvrJ51t5OxV0v25NsOgR82CANXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIV
 CzgWkxiz7XE4lgUwX44FCXZM3+JeUbI=
 -----END EC PRIVATE KEY-----`
-	testFileName   = "test_file_ftp.dat"
-	testDLFileName = "test_download_ftp.dat"
+	caCRT = `-----BEGIN CERTIFICATE-----
+MIIE5jCCAs6gAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0
+QXV0aDAeFw0yMTAxMDIyMTIwNTVaFw0yMjA3MDIyMTMwNTJaMBMxETAPBgNVBAMT
+CENlcnRBdXRoMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4Tiho5xW
+AC15JRkMwfp3/TJwI2As7MY5dele5cmdr5bHAE+sRKqC+Ti88OJWCV5saoyax/1S
+CjxJlQMZMl169P1QYJskKjdG2sdv6RLWLMgwSNRRjxp/Bw9dHdiEb9MjLgu28Jro
+9peQkHcRHeMf5hM9WvlIJGrdzbC4hUehmqggcqgARainBkYjf0SwuWxHeu4nMqkp
+Ak5tcSTLCjHfEFHZ9Te0TIPG5YkWocQKyeLgu4lvuU+DD2W2lym+YVUtRMGs1Env
+k7p+N0DcGU26qfzZ2sF5ZXkqm7dBsGQB9pIxwc2Q8T1dCIyP9OQCKVILdc5aVFf1
+cryQFHYzYNNZXFlIBims5VV5Mgfp8ESHQSue+v6n6ykecLEyKt1F1Y/MWY/nWUSI
+8zdq83jdBAZVjo9MSthxVn57/06s/hQca65IpcTZV2gX0a+eRlAVqaRbAhL3LaZe
+bYsW3WHKoUOftwemuep3nL51TzlXZVL7Oz/ClGaEOsnGG9KFO6jh+W768qC0zLQI
+CdE7v2Zex98sZteHCg9fGJHIaYoF0aJG5P3WI5oZf2fy7UIYN9ADLFZiorCXAZEh
+CSU6mDoRViZ4RGR9GZxbDZ9KYn7O8M/KCR72bkQg73TlMsk1zSXEw0MKLUjtsw6c
+rZ0Jt8t3sRatHO3JrYHALMt9vZfyNCZp0IsCAwEAAaNFMEMwDgYDVR0PAQH/BAQD
+AgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFO1yCNAGr/zQTJIi8lw3
+w5OiuBvMMA0GCSqGSIb3DQEBCwUAA4ICAQA6gCNuM7r8mnx674dm31GxBjQy5ZwB
+7CxDzYEvL/oiZ3Tv3HlPfN2LAAsJUfGnghh9DOytenL2CTZWjl/emP5eijzmlP+9
+zva5I6CIMCf/eDDVsRdO244t0o4uG7+At0IgSDM3bpVaVb4RHZNjEziYChsEYY8d
+HK6iwuRSvFniV6yhR/Vj1Ymi9yZ5xclqseLXiQnUB0PkfIk23+7s42cXB16653fH
+O/FsPyKBLiKJArizLYQc12aP3QOrYoYD9+fAzIIzew7A5C0aanZCGzkuFpO6TRlD
+Tb7ry9Gf0DfPpCgxraH8tOcmnqp/ka3hjqo/SRnnTk0IFrmmLdarJvjD46rKwBo4
+MjyAIR1mQ5j8GTlSFBmSgETOQ/EYvO3FPLmra1Fh7L+DvaVzTpqI9fG3TuyyY+Ri
+Fby4ycTOGSZOe5Fh8lqkX5Y47mCUJ3zHzOA1vUJy2eTlMRGpu47Eb1++Vm6EzPUP
+2EF5aD+zwcssh+atZvQbwxpgVqVcyLt91RSkKkmZQslh0rnlTb68yxvUnD3zw7So
+o6TAf9UvwVMEvdLT9NnFd6hwi2jcNte/h538GJwXeBb8EkfpqLKpTKyicnOdkamZ
+7E9zY8SHNRYMwB9coQ/W8NvufbCgkvOoLyMXk5edbXofXl3PhNGOlraWbghBnzf5
+r3rwjFsQOoZotA==
+-----END CERTIFICATE-----`
+	caCRL = `-----BEGIN X509 CRL-----
+MIICpzCBkAIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0QXV0aBcN
+MjEwMTAyMjEzNDA1WhcNMjMwMTAyMjEzNDA1WjAkMCICEQC+l04DbHWMyC3fG09k
+VXf+Fw0yMTAxMDIyMTM0MDVaoCMwITAfBgNVHSMEGDAWgBTtcgjQBq/80EySIvJc
+N8OTorgbzDANBgkqhkiG9w0BAQsFAAOCAgEAEJ7z+uNc8sqtxlOhSdTGDzX/xput
+E857kFQkSlMnU2whQ8c+XpYrBLA5vIZJNSSwohTpM4+zVBX/bJpmu3wqqaArRO9/
+YcW5mQk9Anvb4WjQW1cHmtNapMTzoC9AiYt/OWPfy+P6JCgCr4Hy6LgQyIRL6bM9
+VYTalolOm1qa4Y5cIeT7iHq/91mfaqo8/6MYRjLl8DOTROpmw8OS9bCXkzGKdCat
+AbAzwkQUSauyoCQ10rpX+Y64w9ng3g4Dr20aCqPf5osaqplEJ2HTK8ljDTidlslv
+9anQj8ax3Su89vI8+hK+YbfVQwrThabgdSjQsn+veyx8GlP8WwHLAQ379KjZjWg+
+OlOSwBeU1vTdP0QcB8X5C2gVujAyuQekbaV86xzIBOj7vZdfHZ6ee30TZ2FKiMyg
+7/N2OqW0w77ChsjB4MSHJCfuTgIeg62GzuZXLM+Q2Z9LBdtm4Byg+sm/P52adOEg
+gVb2Zf4KSvsAmA0PIBlu449/QXUFcMxzLFy7mwTeZj2B4Ln0Hm0szV9f9R8MwMtB
+SyLYxVH+mgqaR6Jkk22Q/yYyLPaELfafX5gp/AIXG8n0zxfVaTvK3auSgb1Q6ZLS
+5QH9dSIsmZHlPq7GoSXmKpMdjUL8eaky/IMteioyXgsBiATzl5L2dsw6MTX3MDF0
+QbDK+MzhmbKfDxs=
+-----END X509 CRL-----`
+	client1Crt = `-----BEGIN CERTIFICATE-----
+MIIEITCCAgmgAwIBAgIRAIppZHoj1hM80D7WzTEKLuAwDQYJKoZIhvcNAQELBQAw
+EzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjEwMTAyMjEyMzEwWhcNMjIwNzAyMjEz
+MDUxWjASMRAwDgYDVQQDEwdjbGllbnQxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAoKbYY9MdF2kF/nhBESIiZTdVYtA8XL9xrIZyDj9EnCiTxHiVbJtH
+XVwszqSl5TRrotPmnmAQcX3r8OCk+z+RQZ0QQj257P3kG6q4rNnOcWCS5xEd20jP
+yhQ3m+hMGfZsotNTQze1ochuQgLUN6IPyPxZkH22ia3jX4iu1eo/QxeLYHj1UHw4
+3Cii9yE+j5kPUC21xmnrGKdUrB55NYLXHx6yTIqYR5znSOVB8oJi18/hwdZmH859
+DHhm0Hx1HrS+jbjI3+CMorZJ3WUyNf+CkiVLD3xYutPbxzEpwiqkG/XYzLH0habT
+cDcILo18n+o3jvem2KWBrDhyairjIDscwQIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC
+A7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBSJ5GIv
+zIrE4ZSQt2+CGblKTDswizAfBgNVHSMEGDAWgBTtcgjQBq/80EySIvJcN8OTorgb
+zDANBgkqhkiG9w0BAQsFAAOCAgEALh4f5GhvNYNou0Ab04iQBbLEdOu2RlbK1B5n
+K9P/umYenBHMY/z6HT3+6tpcHsDuqE8UVdq3f3Gh4S2Gu9m8PRitT+cJ3gdo9Plm
+3rD4ufn/s6rGg3ppydXcedm17492tbccUDWOBZw3IO/ASVq13WPgT0/Kev7cPq0k
+sSdSNhVeXqx8Myc2/d+8GYyzbul2Kpfa7h9i24sK49E9ftnSmsIvngONo08eT1T0
+3wAOyK2981LIsHaAWcneShKFLDB6LeXIT9oitOYhiykhFlBZ4M1GNlSNfhQ8IIQP
+xbqMNXCLkW4/BtLhGEEcg0QVso6Kudl9rzgTfQknrdF7pHp6rS46wYUjoSyIY6dl
+oLmnoAVJX36J3QPWelePI9e07X2wrTfiZWewwgw3KNRWjd6/zfPLe7GoqXnK1S2z
+PT8qMfCaTwKTtUkzXuTFvQ8bAo2My/mS8FOcpkt2oQWeOsADHAUX7fz5BCoa2DL3
+k/7Mh4gVT+JYZEoTwCFuYHgMWFWe98naqHi9lB4yR981p1QgXgxO7qBeipagKY1F
+LlH1iwXUqZ3MZnkNA+4e1Fglsw3sa/rC+L98HnznJ/YbTfQbCP6aQ1qcOymrjMud
+7MrFwqZjtd/SK4Qx1VpK6jGEAtPgWBTUS3p9ayg6lqjMBjsmySWfvRsDQbq6P5Ct
+O/e3EH8=
+-----END CERTIFICATE-----`
+	client1Key = `-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAoKbYY9MdF2kF/nhBESIiZTdVYtA8XL9xrIZyDj9EnCiTxHiV
+bJtHXVwszqSl5TRrotPmnmAQcX3r8OCk+z+RQZ0QQj257P3kG6q4rNnOcWCS5xEd
+20jPyhQ3m+hMGfZsotNTQze1ochuQgLUN6IPyPxZkH22ia3jX4iu1eo/QxeLYHj1
+UHw43Cii9yE+j5kPUC21xmnrGKdUrB55NYLXHx6yTIqYR5znSOVB8oJi18/hwdZm
+H859DHhm0Hx1HrS+jbjI3+CMorZJ3WUyNf+CkiVLD3xYutPbxzEpwiqkG/XYzLH0
+habTcDcILo18n+o3jvem2KWBrDhyairjIDscwQIDAQABAoIBAEBSjVFqtbsp0byR
+aXvyrtLX1Ng7h++at2jca85Ihq//jyqbHTje8zPuNAKI6eNbmb0YGr5OuEa4pD9N
+ssDmMsKSoG/lRwwcm7h4InkSvBWpFShvMgUaohfHAHzsBYxfnh+TfULsi0y7c2n6
+t/2OZcOTRkkUDIITnXYiw93ibHHv2Mv2bBDu35kGrcK+c2dN5IL5ZjTjMRpbJTe2
+44RBJbdTxHBVSgoGBnugF+s2aEma6Ehsj70oyfoVpM6Aed5kGge0A5zA1JO7WCn9
+Ay/DzlULRXHjJIoRWd2NKvx5n3FNppUc9vJh2plRHalRooZ2+MjSf8HmXlvG2Hpb
+ScvmWgECgYEA1G+A/2KnxWsr/7uWIJ7ClcGCiNLdk17Pv3DZ3G4qUsU2ITftfIbb
+tU0Q/b19na1IY8Pjy9ptP7t74/hF5kky97cf1FA8F+nMj/k4+wO8QDI8OJfzVzh9
+PwielA5vbE+xmvis5Hdp8/od1Yrc/rPSy2TKtPFhvsqXjqoUmOAjDP8CgYEAwZjH
+9dt1sc2lx/rMxihlWEzQ3JPswKW9/LJAmbRBoSWF9FGNjbX7uhWtXRKJkzb8ZAwa
+88azluNo2oftbDD/+jw8b2cDgaJHlLAkSD4O1D1RthW7/LKD15qZ/oFsRb13NV85
+ZNKtwslXGbfVNyGKUVFm7fVA8vBAOUey+LKDFj8CgYEAg8WWstOzVdYguMTXXuyb
+ruEV42FJaDyLiSirOvxq7GTAKuLSQUg1yMRBIeQEo2X1XU0JZE3dLodRVhuO4EXP
+g7Dn4X7Th9HSvgvNuIacowWGLWSz4Qp9RjhGhXhezUSx2nseY6le46PmFavJYYSR
+4PBofMyt4PcyA6Cknh+KHmkCgYEAnTriG7ETE0a7v4DXUpB4TpCEiMCy5Xs2o8Z5
+ZNva+W+qLVUWq+MDAIyechqeFSvxK6gRM69LJ96lx+XhU58wJiFJzAhT9rK/g+jS
+bsHH9WOfu0xHkuHA5hgvvV2Le9B2wqgFyva4HJy82qxMxCu/VG/SMqyfBS9OWbb7
+ibQhdq0CgYAl53LUWZsFSZIth1vux2LVOsI8C3X1oiXDGpnrdlQ+K7z57hq5EsRq
+GC+INxwXbvKNqp5h0z2MvmKYPDlGVTgw8f8JjM7TkN17ERLcydhdRrMONUryZpo8
+1xTob+8blyJgfxZUIAKbMbMbIiU0WAF0rfD/eJJwS4htOW/Hfv4TGA==
+-----END RSA PRIVATE KEY-----`
+	// client 2 crt is revoked
+	client2Crt = `-----BEGIN CERTIFICATE-----
+MIIEITCCAgmgAwIBAgIRAL6XTgNsdYzILd8bT2RVd/4wDQYJKoZIhvcNAQELBQAw
+EzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjEwMTAyMjEyMzIwWhcNMjIwNzAyMjEz
+MDUxWjASMRAwDgYDVQQDEwdjbGllbnQyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA6xjW5KQR3/OFQtV5M75WINqQ4AzXSu6DhSz/yumaaQZP/UxY+6hi
+jcrFzGo9MMie/Sza8DhkXOFAl2BelUubrOeB2cl+/Gr8OCyRi2Gv6j3zCsuN/4jQ
+tNaoez/IbkDvI3l/ZpzBtnuNY2RiemGgHuORXHRVf3qVlsw+npBIRW5rM2HkO/xG
+oZjeBErWVu390Lyn+Gvk2TqQDnkutWnxUC60/zPlHhXZ4BwaFAekbSnjsSDB1YFM
+s8HwW4oBryoxdj3/+/qLrBHt75IdLw3T7/V1UDJQM3EvSQOr12w4egpldhtsC871
+nnBQZeY6qA5feffIwwg/6lJm70o6S6OX6wIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC
+A7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTB84v5
+t9HqhLhMODbn6oYkEQt3KzAfBgNVHSMEGDAWgBTtcgjQBq/80EySIvJcN8OTorgb
+zDANBgkqhkiG9w0BAQsFAAOCAgEALGtBCve5k8tToL3oLuXp/oSik6ovIB/zq4I/
+4zNMYPU31+ZWz6aahysgx1JL1yqTa3Qm8o2tu52MbnV10dM7CIw7c/cYa+c+OPcG
+5LF97kp13X+r2axy+CmwM86b4ILaDGs2Qyai6VB6k7oFUve+av5o7aUrNFpqGCJz
+HWdtHZSVA3JMATzy0TfWanwkzreqfdw7qH0yZ9bDURlBKAVWrqnCstva9jRuv+AI
+eqxr/4Ro986TFjJdoAP3Vr16CPg7/B6GA/KmsBWJrpeJdPWq4i2gpLKvYZoy89qD
+mUZf34RbzcCtV4NvV1DadGnt4us0nvLrvS5rL2+2uWD09kZYq9RbLkvgzF/cY0fz
+i7I1bi5XQ+alWe0uAk5ZZL/D+GTRYUX1AWwCqwJxmHrMxcskMyO9pXvLyuSWRDLo
+YNBrbX9nLcfJzVCp+X+9sntTHjs4l6Cw+fLepJIgtgqdCHtbhTiv68vSM6cgb4br
+6n2xrXRKuioiWFOrTSRr+oalZh8dGJ/xvwY8IbWknZAvml9mf1VvfE7Ma5P777QM
+fsbYVTq0Y3R/5hIWsC3HA5z6MIM8L1oRe/YyhP3CTmrCHkVKyDOosGXpGz+JVcyo
+cfYkY5A3yFKB2HaCwZSfwFmRhxkrYWGEbHv3Cd9YkZs1J3hNhGFZyVMC9Uh0S85a
+6zdDidU=
+-----END CERTIFICATE-----`
+	client2Key = `-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA6xjW5KQR3/OFQtV5M75WINqQ4AzXSu6DhSz/yumaaQZP/UxY
+6hijcrFzGo9MMie/Sza8DhkXOFAl2BelUubrOeB2cl+/Gr8OCyRi2Gv6j3zCsuN
+/4jQtNaoez/IbkDvI3l/ZpzBtnuNY2RiemGgHuORXHRVf3qVlsw+npBIRW5rM2Hk
+O/xGoZjeBErWVu390Lyn+Gvk2TqQDnkutWnxUC60/zPlHhXZ4BwaFAekbSnjsSDB
+1YFMs8HwW4oBryoxdj3/+/qLrBHt75IdLw3T7/V1UDJQM3EvSQOr12w4egpldhts
+C871nnBQZeY6qA5feffIwwg/6lJm70o6S6OX6wIDAQABAoIBAFatstVb1KdQXsq0
+cFpui8zTKOUiduJOrDkWzTygAmlEhYtrccdfXu7OWz0x0lvBLDVGK3a0I/TGrAzj
+4BuFY+FM/egxTVt9in6fmA3et4BS1OAfCryzUdfK6RV//8L+t+zJZ/qKQzWnugpy
+QYjDo8ifuMFwtvEoXizaIyBNLAhEp9hnrv+Tyi2O2gahPvCHsD48zkyZRCHYRstD
+NH5cIrwz9/RJgPO1KI+QsJE7Nh7stR0sbr+5TPU4fnsL2mNhMUF2TJrwIPrc1yp+
+YIUjdnh3SO88j4TQT3CIrWi8i4pOy6N0dcVn3gpCRGaqAKyS2ZYUj+yVtLO4KwxZ
+SZ1lNvECgYEA78BrF7f4ETfWSLcBQ3qxfLs7ibB6IYo2x25685FhZjD+zLXM1AKb
+FJHEXUm3mUYrFJK6AFEyOQnyGKBOLs3S6oTAswMPbTkkZeD1Y9O6uv0AHASLZnK6
+pC6ub0eSRF5LUyTQ55Jj8D7QsjXJueO8v+G5ihWhNSN9tB2UA+8NBmkCgYEA+weq
+cvoeMIEMBQHnNNLy35bwfqrceGyPIRBcUIvzQfY1vk7KW6DYOUzC7u+WUzy/hA52
+DjXVVhua2eMQ9qqtOav7djcMc2W9RbLowxvno7K5qiCss013MeWk64TCWy+WMp5A
+AVAtOliC3hMkIKqvR2poqn+IBTh1449agUJQqTMCgYEAu06IHGq1GraV6g9XpGF5
+wqoAlMzUTdnOfDabRilBf/YtSr+J++ThRcuwLvXFw7CnPZZ4TIEjDJ7xjj3HdxeE
+fYYjineMmNd40UNUU556F1ZLvJfsVKizmkuCKhwvcMx+asGrmA+tlmds4p3VMS50
+KzDtpKzLWlmU/p/RINWlRmkCgYBy0pHTn7aZZx2xWKqCDg+L2EXPGqZX6wgZDpu7
+OBifzlfM4ctL2CmvI/5yPmLbVgkgBWFYpKUdiujsyyEiQvWTUKhn7UwjqKDHtcsk
+G6p7xS+JswJrzX4885bZJ9Oi1AR2yM3sC9l0O7I4lDbNPmWIXBLeEhGMmcPKv/Kc
+91Ff4wKBgQCF3ur+Vt0PSU0ucrPVHjCe7tqazm0LJaWbPXL1Aw0pzdM2EcNcW/MA
+w0kqpr7MgJ94qhXCBcVcfPuFN9fBOadM3UBj1B45Cz3pptoK+ScI8XKno6jvVK/p
+xr5cb9VBRBtB9aOKVfuRhpatAfS2Pzm2Htae9lFn7slGPUmu2hkjDw==
+-----END RSA PRIVATE KEY-----`
+	testFileName       = "test_file_ftp.dat"
+	testDLFileName     = "test_download_ftp.dat"
+	tlsClient1Username = "client1"
+	tlsClient2Username = "client2"
 )

 var (
@@ -79,6 +232,8 @@ var (
 	preLoginPath    string
 	postConnectPath string
 	logFilePath     string
+	caCrtPath       string
+	caCRLPath       string
 )

 func TestMain(m *testing.M) {
@@ -116,14 +271,10 @@ func TestMain(m *testing.M) {

 	certPath := filepath.Join(os.TempDir(), "test_ftpd.crt")
 	keyPath := filepath.Join(os.TempDir(), "test_ftpd.key")
-	err = os.WriteFile(certPath, []byte(ftpsCert), os.ModePerm)
+	caCrtPath = filepath.Join(os.TempDir(), "test_ftpd_ca.crt")
+	caCRLPath = filepath.Join(os.TempDir(), "test_ftpd_crl.crt")
+	err = writeCerts(certPath, keyPath, caCrtPath, caCRLPath)
 	if err != nil {
-		logger.ErrorToConsole("error writing FTPS certificate: %v", err)
-		os.Exit(1)
-	}
-	err = os.WriteFile(keyPath, []byte(ftpsKey), os.ModePerm)
-	if err != nil {
-		logger.ErrorToConsole("error writing FTPS private key: %v", err)
 		os.Exit(1)
 	}

@@ -155,7 +306,8 @@ func TestMain(m *testing.M) {
 	ftpdConf := config.GetFTPDConfig()
 	ftpdConf.Bindings = []ftpd.Binding{
 		{
-			Port: 2121,
+			Port:           2121,
+			ClientAuthType: 2,
 		},
 	}
 	ftpdConf.PassivePortRange.Start = 0
@@ -163,6 +315,8 @@ func TestMain(m *testing.M) {
 	ftpdConf.BannerFile = bannerFileName
 	ftpdConf.CertificateFile = certPath
 	ftpdConf.CertificateKeyFile = keyPath
+	ftpdConf.CACertificates = []string{caCrtPath}
+	ftpdConf.CARevocationLists = []string{caCRLPath}
 	ftpdConf.EnableSite = true

 	// required to test sftpfs
@@ -222,6 +376,8 @@ func TestMain(m *testing.M) {
 	}
 	ftpdConf.CertificateFile = certPath
 	ftpdConf.CertificateKeyFile = keyPath
+	ftpdConf.CACertificates = []string{caCrtPath}
+	ftpdConf.CARevocationLists = []string{caCRLPath}
 	ftpdConf.EnableSite = false
 	ftpdConf.DisableActiveMode = true
 	ftpdConf.CombineSupport = 1
@@ -246,6 +402,8 @@ func TestMain(m *testing.M) {
 	os.Remove(postConnectPath)
 	os.Remove(certPath)
 	os.Remove(keyPath)
+	os.Remove(caCrtPath)
+	os.Remove(caCRLPath)
 	os.Remove(hostKeyPath)
 	os.Remove(hostKeyPath + ".pub")
 	os.Exit(exitCode)
@@ -293,6 +451,11 @@ func TestInitializationFailure(t *testing.T) {
 	ftpdConf.CARevocationLists = []string{""}
 	err = ftpdConf.Initialize(configDir)
 	require.Error(t, err)
+
+	ftpdConf.CACertificates = []string{caCrtPath}
+	ftpdConf.CARevocationLists = []string{caCRLPath}
+	err = ftpdConf.Initialize(configDir)
+	require.Error(t, err)
 }

 func TestBasicFTPHandling(t *testing.T) {
@@ -306,7 +469,7 @@ func TestBasicFTPHandling(t *testing.T) {
 	assert.NoError(t, err)

 	for _, user := range []dataprovider.User{localUser, sftpUser} {
-		client, err := getFTPClient(user, true)
+		client, err := getFTPClient(user, true, nil)
 		if assert.NoError(t, err) {
 			if user.Username == defaultUsername {
 				assert.Len(t, common.Connections.GetStats(), 1)
@@ -399,7 +562,7 @@ func TestLoginInvalidPwd(t *testing.T) {
 	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
 	assert.NoError(t, err)
 	user.Password = "wrong"
-	_, err = getFTPClient(user, false)
+	_, err = getFTPClient(user, false, nil)
 	assert.Error(t, err)
 	_, err = httpdtest.RemoveUser(user, http.StatusOK)
 	assert.NoError(t, err)
@@ -407,7 +570,7 @@ func TestLoginInvalidPwd(t *testing.T) {

 func TestLoginNonExistentUser(t *testing.T) {
 	user := getTestUser()
-	_, err := getFTPClient(user, false)
+	_, err := getFTPClient(user, false, nil)
 	assert.Error(t, err)
 }

@@ -427,7 +590,7 @@ func TestLoginExternalAuth(t *testing.T) {
 	providerConf.ExternalAuthScope = 0
 	err = dataprovider.Initialize(providerConf, configDir, true)
 	assert.NoError(t, err)
-	client, err := getFTPClient(u, true)
+	client, err := getFTPClient(u, true, nil)
 	if assert.NoError(t, err) {
 		err = checkBasicFTP(client)
 		assert.NoError(t, err)
@@ -435,7 +598,7 @@ func TestLoginExternalAuth(t *testing.T) {
 		assert.NoError(t, err)
 	}
 	u.Username = defaultUsername + "1"
-	client, err = getFTPClient(u, true)
+	client, err = getFTPClient(u, true, nil)
 	if !assert.Error(t, err) {
 		err := client.Quit()
 		assert.NoError(t, err)
@@ -477,7 +640,7 @@ func TestPreLoginHook(t *testing.T) {
 	assert.NoError(t, err)
 	_, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusNotFound)
 	assert.NoError(t, err)
-	client, err := getFTPClient(u, false)
+	client, err := getFTPClient(u, false, nil)
 	if assert.NoError(t, err) {
 		err = checkBasicFTP(client)
 		assert.NoError(t, err)
@@ -489,7 +652,7 @@ func TestPreLoginHook(t *testing.T) {
 	assert.NoError(t, err)

 	// test login with an existing user
-	client, err = getFTPClient(user, true)
+	client, err = getFTPClient(user, true, nil)
 	if assert.NoError(t, err) {
 		err = checkBasicFTP(client)
 		assert.NoError(t, err)
@@ -499,7 +662,7 @@ func TestPreLoginHook(t *testing.T) {

 	err = os.WriteFile(preLoginPath, getPreLoginScriptContent(user, true), os.ModePerm)
 	assert.NoError(t, err)
-	client, err = getFTPClient(u, false)
+	client, err = getFTPClient(u, false, nil)
 	if !assert.Error(t, err) {
 		err := client.Quit()
 		assert.NoError(t, err)
@@ -507,7 +670,7 @@ func TestPreLoginHook(t *testing.T) {
 	user.Status = 0
 	err = os.WriteFile(preLoginPath, getPreLoginScriptContent(user, false), os.ModePerm)
 	assert.NoError(t, err)
-	client, err = getFTPClient(u, false)
+	client, err = getFTPClient(u, false, nil)
 	if !assert.Error(t, err, "pre-login script returned a disabled user, login must fail") {
 		err := client.Quit()
 		assert.NoError(t, err)
@@ -539,7 +702,7 @@ func TestPostConnectHook(t *testing.T) {
 	assert.NoError(t, err)
 	err = os.WriteFile(postConnectPath, getPostConnectScriptContent(0), os.ModePerm)
 	assert.NoError(t, err)
-	client, err := getFTPClient(user, true)
+	client, err := getFTPClient(user, true, nil)
 	if assert.NoError(t, err) {
 		err = checkBasicFTP(client)
 		assert.NoError(t, err)
@@ -548,7 +711,7 @@ func TestPostConnectHook(t *testing.T) {
 	}
 	err = os.WriteFile(postConnectPath, getPostConnectScriptContent(1), os.ModePerm)
 	assert.NoError(t, err)
-	client, err = getFTPClient(user, true)
+	client, err = getFTPClient(user, true, nil)
 	if !assert.Error(t, err) {
 		err := client.Quit()
 		assert.NoError(t, err)
@@ -556,7 +719,7 @@ func TestPostConnectHook(t *testing.T) {

 	common.Config.PostConnectHook = "http://127.0.0.1:8079/healthz"

-	client, err = getFTPClient(user, false)
+	client, err = getFTPClient(user, false, nil)
 	if assert.NoError(t, err) {
 		err = checkBasicFTP(client)
 		assert.NoError(t, err)
@@ -566,7 +729,7 @@ func TestPostConnectHook(t *testing.T) {

 	common.Config.PostConnectHook = "http://127.0.0.1:8079/notfound"

-	client, err = getFTPClient(user, true)
+	client, err = getFTPClient(user, true, nil)
 	if !assert.Error(t, err) {
 		err := client.Quit()
 		assert.NoError(t, err)
@@ -586,11 +749,11 @@ func TestMaxConnections(t *testing.T) {

 	user, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)
 	assert.NoError(t, err)
-	client, err := getFTPClient(user, true)
+	client, err := getFTPClient(user, true, nil)
 	if assert.NoError(t, err) {
 		err = checkBasicFTP(client)
 		assert.NoError(t, err)
-		_, err = getFTPClient(user, false)
+		_, err = getFTPClient(user, false, nil)
 		assert.Error(t, err)
 		err = client.Quit()
 		assert.NoError(t, err)
@@ -615,7 +778,7 @@ func TestDefender(t *testing.T) {

 	user, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)
 	assert.NoError(t, err)
-	client, err := getFTPClient(user, false)
+	client, err := getFTPClient(user, false, nil)
 	if assert.NoError(t, err) {
 		err = checkBasicFTP(client)
 		assert.NoError(t, err)
@@ -625,12 +788,12 @@ func TestDefender(t *testing.T) {

 	for i := 0; i < 3; i++ {
 		user.Password = "wrong_pwd"
-		_, err = getFTPClient(user, false)
+		_, err = getFTPClient(user, false, nil)
 		assert.Error(t, err)
 	}

 	user.Password = defaultPassword
-	_, err = getFTPClient(user, false)
+	_, err = getFTPClient(user, false, nil)
 	if assert.Error(t, err) {
 		assert.Contains(t, err.Error(), "Access denied, banned client IP")
 	}
@@ -649,11 +812,11 @@ func TestMaxSessions(t *testing.T) {
 	u.MaxSessions = 1
 	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
 	assert.NoError(t, err)
-	client, err := getFTPClient(user, true)
+	client, err := getFTPClient(user, true, nil)
 	if assert.NoError(t, err) {
 		err = checkBasicFTP(client)
 		assert.NoError(t, err)
-		_, err = getFTPClient(user, false)
+		_, err = getFTPClient(user, false, nil)
 		assert.Error(t, err)
 		err = client.Quit()
 		assert.NoError(t, err)
@@ -669,7 +832,7 @@ func TestZeroBytesTransfers(t *testing.T) {
 	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
 	assert.NoError(t, err)
 	for _, useTLS := range []bool{true, false} {
-		client, err := getFTPClient(user, useTLS)
+		client, err := getFTPClient(user, useTLS, nil)
 		if assert.NoError(t, err) {
 			testFileName := "testfilename"
 			err = checkBasicFTP(client)
@@ -724,7 +887,7 @@ func TestDownloadErrors(t *testing.T) {
 	}
 	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
 	assert.NoError(t, err)
-	client, err := getFTPClient(user, true)
+	client, err := getFTPClient(user, true, nil)
 	if assert.NoError(t, err) {
 		testFilePath1 := filepath.Join(user.HomeDir, subDir1, "file.zip")
 		testFilePath2 := filepath.Join(user.HomeDir, subDir2, "file.zip")
@@ -776,7 +939,7 @@ func TestUploadErrors(t *testing.T) {
 	}
 	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
 	assert.NoError(t, err)
-	client, err := getFTPClient(user, true)
+	client, err := getFTPClient(user, true, nil)
 	if assert.NoError(t, err) {
 		testFilePath := filepath.Join(homeBasePath, testFileName)
 		testFileSize := user.QuotaSize
@@ -831,7 +994,7 @@ func TestResume(t *testing.T) {
 	sftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(), http.StatusCreated)
 	assert.NoError(t, err)
 	for _, user := range []dataprovider.User{localUser, sftpUser} {
-		client, err := getFTPClient(user, true)
+		client, err := getFTPClient(user, true, nil)
 		if assert.NoError(t, err) {
 			testFilePath := filepath.Join(homeBasePath, testFileName)
 			data := []byte("test data")
@@ -897,12 +1060,12 @@ func TestDeniedLoginMethod(t *testing.T) {
 	u.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword}
 	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
 	assert.NoError(t, err)
-	_, err = getFTPClient(user, false)
+	_, err = getFTPClient(user, false, nil)
 	assert.Error(t, err)
 	user.Filters.DeniedLoginMethods = []string{dataprovider.SSHLoginMethodPublicKey, dataprovider.SSHLoginMethodKeyAndPassword}
 	user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "")
 	assert.NoError(t, err)
-	client, err := getFTPClient(user, true)
+	client, err := getFTPClient(user, true, nil)
 	if assert.NoError(t, err) {
 		assert.NoError(t, checkBasicFTP(client))
 		err = client.Quit()
@@ -920,12 +1083,12 @@ func TestDeniedProtocols(t *testing.T) {
 	u.Filters.DeniedProtocols = []string{common.ProtocolFTP}
 	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
 	assert.NoError(t, err)
-	_, err = getFTPClient(user, false)
+	_, err = getFTPClient(user, false, nil)
 	assert.Error(t, err)
 	user.Filters.DeniedProtocols = []string{common.ProtocolSSH, common.ProtocolWebDAV}
 	user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "")
 	assert.NoError(t, err)
-	client, err := getFTPClient(user, true)
+	client, err := getFTPClient(user, true, nil)
 	if assert.NoError(t, err) {
 		assert.NoError(t, checkBasicFTP(client))
 		err = client.Quit()
@@ -962,7 +1125,7 @@ func TestQuotaLimits(t *testing.T) {
 		err = createTestFile(testFilePath2, testFileSize2)
 		assert.NoError(t, err)
 		// test quota files
-		client, err := getFTPClient(user, false)
+		client, err := getFTPClient(user, false, nil)
 		if assert.NoError(t, err) {
 			err = ftpUploadFile(testFilePath, testFileName+".quota", testFileSize, client, 0)
 			assert.NoError(t, err)
@@ -978,7 +1141,7 @@ func TestQuotaLimits(t *testing.T) {
 		user.QuotaFiles = 0
 		user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "")
 		assert.NoError(t, err)
-		client, err = getFTPClient(user, true)
+		client, err = getFTPClient(user, true, nil)
 		if assert.NoError(t, err) {
 			err = ftpUploadFile(testFilePath, testFileName+".quota", testFileSize, client, 0)
 			assert.Error(t, err)
@@ -992,7 +1155,7 @@ func TestQuotaLimits(t *testing.T) {
 		user.QuotaFiles = 0
 		user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "")
 		assert.NoError(t, err)
-		client, err = getFTPClient(user, false)
+		client, err = getFTPClient(user, false, nil)
 		if assert.NoError(t, err) {
 			err = ftpUploadFile(testFilePath1, testFileName1, testFileSize1, client, 0)
 			assert.Error(t, err)
@@ -1057,7 +1220,7 @@ func TestUploadMaxSize(t *testing.T) {
 		testFilePath1 := filepath.Join(homeBasePath, testFileName1)
 		err = createTestFile(testFilePath1, testFileSize1)
 		assert.NoError(t, err)
-		client, err := getFTPClient(user, false)
+		client, err := getFTPClient(user, false, nil)
 		if assert.NoError(t, err) {
 			err = ftpUploadFile(testFilePath1, testFileName1, testFileSize1, client, 0)
 			assert.Error(t, err)
@@ -1097,7 +1260,7 @@ func TestLoginWithIPilters(t *testing.T) {
 	u.Filters.AllowedIP = []string{"172.19.0.0/16"}
 	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
 	assert.NoError(t, err)
-	client, err := getFTPClient(user, true)
+	client, err := getFTPClient(user, true, nil)
 	if !assert.Error(t, err) {
 		err = client.Quit()
 		assert.NoError(t, err)
@@ -1141,7 +1304,7 @@ func TestLoginWithDatabaseCredentials(t *testing.T) {

 	assert.NoFileExists(t, credentialsFile)

-	client, err := getFTPClient(user, false)
+	client, err := getFTPClient(user, false, nil)
 	if assert.NoError(t, err) {
 		err = client.Quit()
 		assert.NoError(t, err)
@@ -1176,7 +1339,7 @@ func TestLoginInvalidFs(t *testing.T) {
 	err = os.Remove(credentialsFile)
 	assert.NoError(t, err)

-	client, err := getFTPClient(user, false)
+	client, err := getFTPClient(user, false, nil)
 	if !assert.Error(t, err) {
 		err = client.Quit()
 		assert.NoError(t, err)
@@ -1191,7 +1354,7 @@ func TestClientClose(t *testing.T) {
 	u := getTestUser()
 	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
 	assert.NoError(t, err)
-	client, err := getFTPClient(user, true)
+	client, err := getFTPClient(user, true, nil)
 	if assert.NoError(t, err) {
 		err = checkBasicFTP(client)
 		assert.NoError(t, err)
@@ -1220,7 +1383,7 @@ func TestRename(t *testing.T) {
 		testFileSize := int64(65535)
 		err = createTestFile(testFilePath, testFileSize)
 		assert.NoError(t, err)
-		client, err := getFTPClient(user, false)
+		client, err := getFTPClient(user, false, nil)
 		if assert.NoError(t, err) {
 			err = checkBasicFTP(client)
 			assert.NoError(t, err)
@@ -1259,7 +1422,7 @@ func TestRename(t *testing.T) {
 		user.Permissions[path.Join("/", testDir)] = []string{dataprovider.PermListItems}
 		user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "")
 		assert.NoError(t, err)
-		client, err = getFTPClient(user, false)
+		client, err = getFTPClient(user, false, nil)
 		if assert.NoError(t, err) {
 			err = client.Rename(path.Join(testDir, testFileName), testFileName)
 			assert.Error(t, err)
@@ -1297,7 +1460,7 @@ func TestSymlink(t *testing.T) {
 	for _, user := range []dataprovider.User{localUser, sftpUser} {
 		err = createTestFile(testFilePath, testFileSize)
 		assert.NoError(t, err)
-		client, err := getFTPClient(user, false)
+		client, err := getFTPClient(user, false, nil)
 		if assert.NoError(t, err) {
 			err = checkBasicFTP(client)
 			assert.NoError(t, err)
@@ -1354,7 +1517,7 @@ func TestStat(t *testing.T) {
 	assert.NoError(t, err)

 	for _, user := range []dataprovider.User{localUser, sftpUser} {
-		client, err := getFTPClient(user, false)
+		client, err := getFTPClient(user, false, nil)
 		if assert.NoError(t, err) {
 			subDir := "subdir"
 			testFilePath := filepath.Join(homeBasePath, testFileName)
@@ -1412,7 +1575,7 @@ func TestUploadOverwriteVfolder(t *testing.T) {
 	assert.NoError(t, err)
 	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
 	assert.NoError(t, err)
-	client, err := getFTPClient(user, false)
+	client, err := getFTPClient(user, false, nil)
 	if assert.NoError(t, err) {
 		testFilePath := filepath.Join(homeBasePath, testFileName)
 		testFileSize := int64(65535)
@@ -1461,7 +1624,7 @@ func TestAllocateAvailable(t *testing.T) {
 	assert.NoError(t, err)
 	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
 	assert.NoError(t, err)
-	client, err := getFTPClient(user, false)
+	client, err := getFTPClient(user, false, nil)
 	if assert.NoError(t, err) {
 		code, response, err := client.SendCustomCommand("allo 2000000")
 		assert.NoError(t, err)
@@ -1483,7 +1646,7 @@ func TestAllocateAvailable(t *testing.T) {
 	user.QuotaSize = 100
 	user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "")
 	assert.NoError(t, err)
-	client, err = getFTPClient(user, false)
+	client, err = getFTPClient(user, false, nil)
 	if assert.NoError(t, err) {
 		testFilePath := filepath.Join(homeBasePath, testFileName)
 		testFileSize := user.QuotaSize - 1
@@ -1532,7 +1695,7 @@ func TestAllocateAvailable(t *testing.T) {
 	user.QuotaSize = 0
 	user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "")
 	assert.NoError(t, err)
-	client, err = getFTPClient(user, false)
+	client, err = getFTPClient(user, false, nil)
 	if assert.NoError(t, err) {
 		code, response, err := client.SendCustomCommand("allo 99")
 		assert.NoError(t, err)
@@ -1555,7 +1718,7 @@ func TestAllocateAvailable(t *testing.T) {
 	user.QuotaSize = 50
 	user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "")
 	assert.NoError(t, err)
-	client, err = getFTPClient(user, false)
+	client, err = getFTPClient(user, false, nil)
 	if assert.NoError(t, err) {
 		code, response, err := client.SendCustomCommand("AVBL")
 		assert.NoError(t, err)
@@ -1567,7 +1730,7 @@ func TestAllocateAvailable(t *testing.T) {
 	user.Filters.MaxUploadFileSize = 1
 	user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "")
 	assert.NoError(t, err)
-	client, err = getFTPClient(user, false)
+	client, err = getFTPClient(user, false, nil)
 	if assert.NoError(t, err) {
 		code, response, err := client.SendCustomCommand("AVBL")
 		assert.NoError(t, err)
@@ -1591,7 +1754,7 @@ func TestAvailableSFTPFs(t *testing.T) {
 	assert.NoError(t, err)
 	sftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(), http.StatusCreated)
 	assert.NoError(t, err)
-	client, err := getFTPClient(sftpUser, false)
+	client, err := getFTPClient(sftpUser, false, nil)
 	if assert.NoError(t, err) {
 		code, response, err := client.SendCustomCommand("AVBL /")
 		assert.NoError(t, err)
@@ -1619,7 +1782,7 @@ func TestChtimes(t *testing.T) {
 	assert.NoError(t, err)

 	for _, user := range []dataprovider.User{localUser, sftpUser} {
-		client, err := getFTPClient(user, false)
+		client, err := getFTPClient(user, false, nil)
 		if assert.NoError(t, err) {
 			testFilePath := filepath.Join(homeBasePath, testFileName)
 			testFileSize := int64(65535)
@@ -1660,7 +1823,7 @@ func TestChown(t *testing.T) {
 	}
 	user, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated)
 	assert.NoError(t, err)
-	client, err := getFTPClient(user, true)
+	client, err := getFTPClient(user, true, nil)
 	if assert.NoError(t, err) {
 		testFilePath := filepath.Join(homeBasePath, testFileName)
 		testFileSize := int64(131072)
@@ -1697,7 +1860,7 @@ func TestChmod(t *testing.T) {
 	sftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(), http.StatusCreated)
 	assert.NoError(t, err)
 	for _, user := range []dataprovider.User{localUser, sftpUser} {
-		client, err := getFTPClient(user, true)
+		client, err := getFTPClient(user, true, nil)
 		if assert.NoError(t, err) {
 			testFilePath := filepath.Join(homeBasePath, testFileName)
 			testFileSize := int64(131072)
@@ -1743,7 +1906,7 @@ func TestCombineDisabled(t *testing.T) {
 	sftpUser, _, err := httpdtest.AddUser(getTestSFTPUser(), http.StatusCreated)
 	assert.NoError(t, err)
 	for _, user := range []dataprovider.User{localUser, sftpUser} {
-		client, err := getFTPClient(user, true)
+		client, err := getFTPClient(user, true, nil)
 		if assert.NoError(t, err) {
 			err = checkBasicFTP(client)
 			assert.NoError(t, err)
@@ -1788,7 +1951,7 @@ func TestActiveModeDisabled(t *testing.T) {
 		assert.NoError(t, err)
 	}

-	client, err = getFTPClient(user, false)
+	client, err = getFTPClient(user, false, nil)
 	if assert.NoError(t, err) {
 		code, response, err := client.SendCustomCommand("PORT 10,2,0,2,4,31")
 		assert.NoError(t, err)
@@ -1948,6 +2111,300 @@ func TestCombine(t *testing.T) {
 	assert.NoError(t, err)
 }

+func TestClientCertificateAuthRevokedCert(t *testing.T) {
+	u := getTestUser()
+	u.Username = tlsClient2Username
+	u.Filters.TLSUsername = dataprovider.TLSUsernameCN
+	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
+	assert.NoError(t, err)
+	tlsConfig := &tls.Config{
+		ServerName:         "localhost",
+		InsecureSkipVerify: true, // use this for tests only
+		MinVersion:         tls.VersionTLS12,
+	}
+	tlsCert, err := tls.X509KeyPair([]byte(client2Crt), []byte(client2Key))
+	assert.NoError(t, err)
+	tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCert)
+	_, err = getFTPClient(user, true, tlsConfig)
+	if assert.Error(t, err) {
+		assert.Contains(t, err.Error(), "bad certificate")
+	}
+
+	_, err = httpdtest.RemoveUser(user, http.StatusOK)
+	assert.NoError(t, err)
+	err = os.RemoveAll(user.GetHomeDir())
+	assert.NoError(t, err)
+}
+
+func TestClientCertificateAuth(t *testing.T) {
+	u := getTestUser()
+	u.Username = tlsClient1Username
+	u.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword}
+	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
+	assert.NoError(t, err)
+	tlsConfig := &tls.Config{
+		ServerName:         "localhost",
+		InsecureSkipVerify: true, // use this for tests only
+		MinVersion:         tls.VersionTLS12,
+	}
+	tlsCert, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))
+	assert.NoError(t, err)
+	tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCert)
+	// TLS username is not enabled, mutual TLS should fail
+	_, err = getFTPClient(user, true, tlsConfig)
+	if assert.Error(t, err) {
+		assert.Contains(t, err.Error(), "Login method password is not allowed")
+	}
+
+	user.Filters.TLSUsername = dataprovider.TLSUsernameCN
+	user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "")
+	assert.NoError(t, err)
+	client, err := getFTPClient(user, true, tlsConfig)
+	if assert.NoError(t, err) {
+		err = checkBasicFTP(client)
+		assert.NoError(t, err)
+		err = client.Quit()
+		assert.NoError(t, err)
+	}
+
+	// now use a valid certificate with a CN different from username
+	u = getTestUser()
+	u.Username = tlsClient2Username
+	u.Filters.TLSUsername = dataprovider.TLSUsernameCN
+	u.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword}
+	user2, _, err := httpdtest.AddUser(u, http.StatusCreated)
+	assert.NoError(t, err)
+	_, err = getFTPClient(user2, true, tlsConfig)
+	if assert.Error(t, err) {
+		assert.Contains(t, err.Error(), "does not match username")
+	}
+
+	// now disable certificate authentication
+	user.Filters.DeniedLoginMethods = append(user.Filters.DeniedLoginMethods, dataprovider.LoginMethodTLSCertificate,
+		dataprovider.LoginMethodTLSCertificateAndPwd)
+	user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "")
+	assert.NoError(t, err)
+	_, err = getFTPClient(user, true, tlsConfig)
+	if assert.Error(t, err) {
+		assert.Contains(t, err.Error(), "Login method TLSCertificate+password is not allowed")
+	}
+
+	// disable FTP protocol
+	user.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword}
+	user.Filters.DeniedProtocols = append(user.Filters.DeniedProtocols, common.ProtocolFTP)
+	user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "")
+	assert.NoError(t, err)
+	_, err = getFTPClient(user, true, tlsConfig)
+	if assert.Error(t, err) {
+		assert.Contains(t, err.Error(), "Protocol FTP is not allowed")
+	}
+
+	_, err = httpdtest.RemoveUser(user, http.StatusOK)
+	assert.NoError(t, err)
+	err = os.RemoveAll(user.GetHomeDir())
+	assert.NoError(t, err)
+
+	_, err = httpdtest.RemoveUser(user2, http.StatusOK)
+	assert.NoError(t, err)
+	err = os.RemoveAll(user2.GetHomeDir())
+	assert.NoError(t, err)
+
+	_, err = getFTPClient(user, true, tlsConfig)
+	assert.Error(t, err)
+}
+
+func TestClientCertificateAndPwdAuth(t *testing.T) {
+	u := getTestUser()
+	u.Username = tlsClient1Username
+	u.Filters.TLSUsername = dataprovider.TLSUsernameCN
+	u.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword, dataprovider.LoginMethodTLSCertificate}
+	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
+	assert.NoError(t, err)
+	tlsConfig := &tls.Config{
+		ServerName:         "localhost",
+		InsecureSkipVerify: true, // use this for tests only
+		MinVersion:         tls.VersionTLS12,
+	}
+	tlsCert, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))
+	assert.NoError(t, err)
+	tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCert)
+	client, err := getFTPClient(user, true, tlsConfig)
+	if assert.NoError(t, err) {
+		err = checkBasicFTP(client)
+		assert.NoError(t, err)
+		err = client.Quit()
+		assert.NoError(t, err)
+	}
+
+	_, err = getFTPClient(user, true, nil)
+	if assert.Error(t, err) {
+		assert.Contains(t, err.Error(), "Login method password is not allowed")
+	}
+	user.Password = defaultPassword + "1"
+	_, err = getFTPClient(user, true, tlsConfig)
+	if assert.Error(t, err) {
+		assert.Contains(t, err.Error(), "invalid credentials")
+	}
+
+	tlsCert, err = tls.X509KeyPair([]byte(client2Crt), []byte(client2Key))
+	assert.NoError(t, err)
+	tlsConfig.Certificates = []tls.Certificate{tlsCert}
+	_, err = getFTPClient(user, true, tlsConfig)
+	if assert.Error(t, err) {
+		assert.Contains(t, err.Error(), "bad certificate")
+	}
+
+	_, err = httpdtest.RemoveUser(user, http.StatusOK)
+	assert.NoError(t, err)
+	err = os.RemoveAll(user.GetHomeDir())
+	assert.NoError(t, err)
+}
+
+func TestExternatAuthWithClientCert(t *testing.T) {
+	if runtime.GOOS == osWindows {
+		t.Skip("this test is not available on Windows")
+	}
+	u := getTestUser()
+	u.Username = tlsClient1Username
+	u.Filters.DeniedLoginMethods = append(u.Filters.DeniedLoginMethods, dataprovider.LoginMethodPassword)
+	u.Filters.TLSUsername = dataprovider.TLSUsernameCN
+	err := dataprovider.Close()
+	assert.NoError(t, err)
+	err = config.LoadConfig(configDir, "")
+	assert.NoError(t, err)
+	providerConf := config.GetProviderConf()
+	err = os.WriteFile(extAuthPath, getExtAuthScriptContent(u, false, ""), os.ModePerm)
+	assert.NoError(t, err)
+	providerConf.ExternalAuthHook = extAuthPath
+	providerConf.ExternalAuthScope = 8
+	err = dataprovider.Initialize(providerConf, configDir, true)
+	assert.NoError(t, err)
+
+	// external auth not called, auth scope is 8
+	_, err = getFTPClient(u, true, nil)
+	assert.Error(t, err)
+	_, _, err = httpdtest.GetUserByUsername(u.Username, http.StatusNotFound)
+	assert.NoError(t, err)
+
+	tlsConfig := &tls.Config{
+		ServerName:         "localhost",
+		InsecureSkipVerify: true, // use this for tests only
+		MinVersion:         tls.VersionTLS12,
+	}
+	tlsCert, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))
+	assert.NoError(t, err)
+	tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCert)
+	client, err := getFTPClient(u, true, tlsConfig)
+	if assert.NoError(t, err) {
+		err = checkBasicFTP(client)
+		assert.NoError(t, err)
+		err := client.Quit()
+		assert.NoError(t, err)
+	}
+
+	user, _, err := httpdtest.GetUserByUsername(u.Username, http.StatusOK)
+	assert.NoError(t, err)
+	assert.Equal(t, u.Username, user.Username)
+	_, err = httpdtest.RemoveUser(user, http.StatusOK)
+	assert.NoError(t, err)
+	err = os.RemoveAll(user.GetHomeDir())
+	assert.NoError(t, err)
+
+	u.Username = tlsClient2Username
+	_, err = getFTPClient(u, true, tlsConfig)
+	if assert.Error(t, err) {
+		assert.Contains(t, err.Error(), "invalid credentials")
+	}
+
+	err = dataprovider.Close()
+	assert.NoError(t, err)
+	err = config.LoadConfig(configDir, "")
+	assert.NoError(t, err)
+	providerConf = config.GetProviderConf()
+	err = dataprovider.Initialize(providerConf, configDir, true)
+	assert.NoError(t, err)
+	err = os.Remove(extAuthPath)
+	assert.NoError(t, err)
+}
+
+func TestPreLoginHookWithClientCert(t *testing.T) {
+	if runtime.GOOS == osWindows {
+		t.Skip("this test is not available on Windows")
+	}
+	u := getTestUser()
+	u.Username = tlsClient1Username
+	u.Filters.DeniedLoginMethods = append(u.Filters.DeniedLoginMethods, dataprovider.LoginMethodPassword)
+	u.Filters.TLSUsername = dataprovider.TLSUsernameCN
+	err := dataprovider.Close()
+	assert.NoError(t, err)
+	err = config.LoadConfig(configDir, "")
+	assert.NoError(t, err)
+	providerConf := config.GetProviderConf()
+	err = os.WriteFile(preLoginPath, getPreLoginScriptContent(u, false), os.ModePerm)
+	assert.NoError(t, err)
+	providerConf.PreLoginHook = preLoginPath
+	err = dataprovider.Initialize(providerConf, configDir, true)
+	assert.NoError(t, err)
+	_, _, err = httpdtest.GetUserByUsername(tlsClient1Username, http.StatusNotFound)
+	assert.NoError(t, err)
+	tlsConfig := &tls.Config{
+		ServerName:         "localhost",
+		InsecureSkipVerify: true, // use this for tests only
+		MinVersion:         tls.VersionTLS12,
+	}
+	tlsCert, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))
+	assert.NoError(t, err)
+	tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCert)
+	client, err := getFTPClient(u, true, tlsConfig)
+	if assert.NoError(t, err) {
+		err = checkBasicFTP(client)
+		assert.NoError(t, err)
+		err := client.Quit()
+		assert.NoError(t, err)
+	}
+
+	user, _, err := httpdtest.GetUserByUsername(tlsClient1Username, http.StatusOK)
+	assert.NoError(t, err)
+
+	// test login with an existing user
+	client, err = getFTPClient(user, true, tlsConfig)
+	if assert.NoError(t, err) {
+		err = checkBasicFTP(client)
+		assert.NoError(t, err)
+		err := client.Quit()
+		assert.NoError(t, err)
+	}
+
+	u.Username = tlsClient2Username
+	err = os.WriteFile(preLoginPath, getPreLoginScriptContent(u, false), os.ModePerm)
+	assert.NoError(t, err)
+	_, err = getFTPClient(u, true, tlsConfig)
+	if assert.Error(t, err) {
+		assert.Contains(t, err.Error(), "does not match username")
+	}
+
+	user2, _, err := httpdtest.GetUserByUsername(tlsClient2Username, http.StatusOK)
+	assert.NoError(t, err)
+	_, err = httpdtest.RemoveUser(user2, http.StatusOK)
+	assert.NoError(t, err)
+	err = os.RemoveAll(user2.GetHomeDir())
+	assert.NoError(t, err)
+
+	_, err = httpdtest.RemoveUser(user, http.StatusOK)
+	assert.NoError(t, err)
+	err = os.RemoveAll(user.GetHomeDir())
+	assert.NoError(t, err)
+	err = dataprovider.Close()
+	assert.NoError(t, err)
+	err = config.LoadConfig(configDir, "")
+	assert.NoError(t, err)
+	providerConf = config.GetProviderConf()
+	err = dataprovider.Initialize(providerConf, configDir, true)
+	assert.NoError(t, err)
+	err = os.Remove(preLoginPath)
+	assert.NoError(t, err)
+}
+
 func checkBasicFTP(client *ftp.ServerConn) error {
 	_, err := client.CurrentDir()
 	if err != nil {
@@ -2041,13 +2498,15 @@ func getFTPClientImplicitTLS(user dataprovider.User) (*ftp.ServerConn, error) {
 	return client, err
 }

-func getFTPClient(user dataprovider.User, useTLS bool) (*ftp.ServerConn, error) {
+func getFTPClient(user dataprovider.User, useTLS bool, tlsConfig *tls.Config) (*ftp.ServerConn, error) {
 	ftpOptions := []ftp.DialOption{ftp.DialWithTimeout(5 * time.Second)}
 	if useTLS {
-		tlsConfig := &tls.Config{
-			ServerName:         "localhost",
-			InsecureSkipVerify: true, // use this for tests only
-			MinVersion:         tls.VersionTLS12,
+		if tlsConfig == nil {
+			tlsConfig = &tls.Config{
+				ServerName:         "localhost",
+				InsecureSkipVerify: true, // use this for tests only
+				MinVersion:         tls.VersionTLS12,
+			}
 		}
 		ftpOptions = append(ftpOptions, ftp.DialWithExplicitTLS(tlsConfig))
 	}
@@ -2166,3 +2625,27 @@ func createTestFile(path string, size int64) error {
 	}
 	return os.WriteFile(path, content, os.ModePerm)
 }
+
+func writeCerts(certPath, keyPath, caCrtPath, caCRLPath string) error {
+	err := os.WriteFile(certPath, []byte(ftpsCert), os.ModePerm)
+	if err != nil {
+		logger.ErrorToConsole("error writing FTPS certificate: %v", err)
+		return err
+	}
+	err = os.WriteFile(keyPath, []byte(ftpsKey), os.ModePerm)
+	if err != nil {
+		logger.ErrorToConsole("error writing FTPS private key: %v", err)
+		return err
+	}
+	err = os.WriteFile(caCrtPath, []byte(caCRT), os.ModePerm)
+	if err != nil {
+		logger.ErrorToConsole("error writing FTPS CA crt: %v", err)
+		return err
+	}
+	err = os.WriteFile(caCRLPath, []byte(caCRL), os.ModePerm)
+	if err != nil {
+		logger.ErrorToConsole("error writing FTPS CRL: %v", err)
+		return err
+	}
+	return nil
+}