Editing FTP over TLS
From FileZilla Wiki
Jump to navigationJump to searchWarning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 3: | Line 3: | ||
=== Server Setup === | === Server Setup === | ||
− | Open the admin interface, and go to settings. Choose | + | Open the admin interface, and go to settings. Choose SSL/TLS (FTPS) settings, and choose to generate a new certificate. The two digit country code can be found by googleing (United States is just US - it can be confusing that two digit can be two letters, and not necessarily two numbers only). |
− | Once you have generated the certificate, and chosen where to save it, | + | Once you have generated the certificate, and chosen where to save it, filezilla will auto fill in the private key file, and the certificate file fields to point to the generated certificate. |
− | At this point, you can either choose to allow | + | At this point, you can either choose to allow SSL/TLS if the user opts, or you can force them to always use SSL/TLS, and not allow them to connect if they do not use it. |
− | PROT P refers to the data transfers. Communication with the server is always encrypted if you use | + | PROT P refers to the data transfers. Communication with the server is always encrypted if you use SSL/TLS.<br> |
Communication encrypted: PROT C, Communication+Data encrypted: PROT P. | Communication encrypted: PROT C, Communication+Data encrypted: PROT P. | ||
If PROT P isn't enforced, client could send PROT C and transfer files unencrypted. If PROT P is enforced, PROT C is rejected. | If PROT P isn't enforced, client could send PROT C and transfer files unencrypted. If PROT P is enforced, PROT C is rejected. | ||
− | Also see [[ | + | Also see [[FTPS_using_Explicit_SSL/TLS_howto_(Server)|FTPS using Explicit SSL/TLS howto (Server)]]. |
+ | dd | ||
=== Client Setup === | === Client Setup === | ||
− | For a client to connect to a server using | + | For a client to connect to a server using SSL, then the host for that connection needs to be set to FTPS. In FileZilla client this means prefixing the host with "FTPES://" for "explicit" FTPS, or "FTPS://" for the legacy "implicit" FTPS. |
==== Certificate Removal ==== | ==== Certificate Removal ==== | ||
Line 27: | Line 28: | ||
In order to remove a saved certificate, navigate to {{Path|%APPDATA%\FileZilla}} and delete, rename or modify the {{Path|trustedcerts.xml}} file. | In order to remove a saved certificate, navigate to {{Path|%APPDATA%\FileZilla}} and delete, rename or modify the {{Path|trustedcerts.xml}} file. | ||
− | ===== Linux | + | ===== Linux ===== |
− | In order to remove a saved certificate rename or modify the file {{Path|~/. | + | In order to remove a saved certificate rename or modify the file {{Path|~/.filezilla}}. |
− | + | == Explicit vs Implicit FTPS == | |
− | + | FTPS (SSL/TLS) is served up in two incompatible modes. If using explicit FTPS, the client connects to the normal FTP port and explicitly switches into secure (SSL/TLS) mode with "AUTH TLS", whereas implicit FTPS is an older style service that assumes SSL/TLS mode right from the start of the connection (and normally listens on TCP port 990, rather than 21). In a FileZilla client this means prefixing the host with "FTPES://" to connect an "explicit" FTPS server, or "FTPS://" for the legacy "implicit" server (for which you will likely also need to set the port to 990). | |
− | FTPS ( | ||
− | == TLS (FTPS) vs SSH (SFTP) == | + | == SSL/TLS (FTPS) vs SSH (SFTP) == |
− | FTPS (FTP encrypted with TLS) should not be confused with SFTP (SSH). The latter is a completely different protocol, with more information [[Howto|here]]. | + | FTPS (FTP encrypted with SSL/TLS) should not be confused with SFTP (SSH). The latter is a completely different protocol, with more information [[Howto|here]]. |