{
        use esmith::ssl;
        #check if TLS is enabled
        if (($ftp{TLSEnable} || 'on') eq 'on') {

        #check if TLS is required: values "on", "off"
        #if "on" normal ftp connections are dropped
        my $tlsrequired = $ftp{'TLSRequired'} || "on";
        my $tlsclient = $ftp{'TLSVerifyClient'} || "off";
        #use the same crt and key of httpd
        my $defaultcrt = "/home/e-smith/ssl.crt/${SystemName}.${DomainName}.crt";
        my $defaultkey = "/home/e-smith/ssl.key/${SystemName}.${DomainName}.key";

        my $crt = $modSSL{'crt'} || $defaultcrt;
        $crt = $defaultcrt unless -e $crt;
        my $key = $modSSL{'key'} || $defaultkey;
        $key = $defaultkey unless -e $key;

        my $chain_file = $modSSL{CertificateChainFile} ||
        "# no chain cert";
        $chain_file = "# no chain cert" unless -e $chain_file;
        $chain_file = ( $chain_file eq "# no chain cert" )? $chain_file  : "TLSCertificateChainFile $chain_file";

        #/home/e-smith/dh.pem/4096.pem
        my $ftpdhparam = "#no dh param";
        $ftpdhparam = "TLSDHParamFile            /home/e-smith/dh.pem/2048.pem" if (dh_exists_good_size("2048","/home/e-smith/dh.pem/2048.pem"));
        $ftpdhparam = "TLSDHParamFile            /home/e-smith/dh.pem/4096.pem" if (dh_exists_good_size("4096","/home/e-smith/dh.pem/4096.pem"));

        my $ciphers = $ftp{CipherSuite} || $modSSL{CipherSuite} || $smeCiphers;
        #SME11 proftpd 1.3.6 branch does not support TLS v1.3
        $smeSSLprotocol =~ s/TLSv1.3//;
        # NoSessionReuseRequired is required with newer clients and TLS to be bale to list folder
        $OUT .= <<SSL_END;

<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol                $smeSSLprotocol
TLSCipherSuite             $ciphers
TLSOptions                 NoCertRequest AllowClientRenegotiations NoSessionReuseRequired
TLSRSACertificateFile      $crt
TLSRSACertificateKeyFile   $key
$chain_file
$ftpdhparam
TLSVerifyClient            $tlsclient
TLSRequired                $tlsrequired
</IfModule>
SSL_END

  }
}

