From c0a33952c677b03414681d0d649e3e30f1207faa Mon Sep 17 00:00:00 2001
From: Klaus Post <klauspost@gmail.com>
Date: Fri, 9 May 2025 22:10:19 +0200
Subject: [PATCH] Allow FTPS to force TLS (#21251)

Fixes #21249

Example params: `-ftp=force-tls=true -ftp="tls-private-key=ftp/private.key" -ftp="tls-public-cert=ftp/public.crt"`

If MinIO is set up for TLS those certs will be used.
---
 cmd/ftp-server.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/cmd/ftp-server.go b/cmd/ftp-server.go
index 179ce64c4..a7b2841b0 100644
--- a/cmd/ftp-server.go
+++ b/cmd/ftp-server.go
@@ -75,6 +75,7 @@ func startFTPServer(args []string) {
 		portRange     string
 		tlsPrivateKey string
 		tlsPublicCert string
+		forceTLS      bool
 	)
 
 	var err error
@@ -103,6 +104,11 @@ func startFTPServer(args []string) {
 			tlsPrivateKey = tokens[1]
 		case "tls-public-cert":
 			tlsPublicCert = tokens[1]
+		case "force-tls":
+			forceTLS, err = strconv.ParseBool(tokens[1])
+			if err != nil {
+				logger.Fatal(fmt.Errorf("invalid arguments passed to --ftp=%s (%v)", arg, err), "unable to start FTP server")
+			}
 		}
 	}
 
@@ -129,6 +135,10 @@ func startFTPServer(args []string) {
 
 	tls := tlsPrivateKey != "" && tlsPublicCert != ""
 
+	if forceTLS && !tls {
+		logger.Fatal(fmt.Errorf("invalid TLS arguments provided. force-tls, but missing private key --ftp=\"tls-private-key=path/to/private.key\""), "unable to start FTP server")
+	}
+
 	name := "MinIO FTP Server"
 	if tls {
 		name = "MinIO FTP(Secure) Server"
@@ -147,6 +157,7 @@ func startFTPServer(args []string) {
 		Logger:         &minioLogger{},
 		PassivePorts:   portRange,
 		PublicIP:       publicIP,
+		ForceTLS:       forceTLS,
 	})
 	if err != nil {
 		logger.Fatal(err, "unable to initialize FTP server")