FTPS using Explicit TLS howto (Server): Difference between revisions

From FileZilla Wiki
Jump to navigationJump to search
(The NAT section is totally incorrect. Removeit and link to the network configuration guide.)
(Slight Implicit/Explicit clarifications, and link orphan page with more relevant info (too much for me to try and consolidate docs as a newbie here).)
Line 9: Line 9:
Please note that FZS needs the paths to the certificate files:
Please note that FZS needs the paths to the certificate files:


If you generate your own private key and certificate without putting a path in front of the file name, FZS only puts the bare filename in the certificate field without an error notice, but later you will get "Could not load certificate file" errors in the FZS log when someone tries to connect via FTPS/FTPES.
If you generate your own private key and certificate without putting a path in front of the file name, FZS only puts the bare filename in the certificate field without an error notice, but later you will get "Could not load certificate file" errors in the FZS log when someone tries to connect via FTPS/FTPES (Implicit/Explicit).


Therefore always put the full path to the private key and certificate files in their corresponding fields and FZS can find the files.
Therefore always put the full path to the private key and certificate files in their corresponding fields and FZS can find the files.
Line 16: Line 16:


If your server has a direct connection to the internet the configuration is simple, check "Enable SSL/TLS Support".
If your server has a direct connection to the internet the configuration is simple, check "Enable SSL/TLS Support".
More SFTP documentation is available [[SSL/TLS|here]].


== Configure with NAT ==
== Configure with NAT ==
Line 21: Line 23:
Please read the [[Network Configuration]] guide for instructions how to configure the server behind NAT devices.
Please read the [[Network Configuration]] guide for instructions how to configure the server behind NAT devices.


Enable Explicit SSL/TLS
== Enable Explicit SSL/TLS ==
 
In the SSL/TLS settings menu check "allow Explicit SSL/TLS on normal connections."  I recommend also checking "Force Explicit SSL/TLS" and "Force PROT P to encrypt data Channel in SSL/TLS mode."  This will further enforce encryption policies.  If you only want certain groups or users to have encryption you can set that up in the user or group editor.  If there is data you still want available to the general public the "Force" setting should be disabled in the server settings menu, as you will need an FTP client rather than a web browser to access the FTP server.
In the SSL/TLS settings menu check "allow Explicit SSL/TLS on normal connections."  I recommend also checking "Force Explicit SSL/TLS" and "Force PROT P to encrypt data Channel in SSL/TLS mode."  This will further enforce encryption policies.  If you only want certain groups or users to have encryption you can set that up in the user or group editor.  If there is data you still want available to the general public the "Force" setting should be disabled in the server settings menu, as you will need an FTP client rather than a web browser to access the FTP server.


 
Setting up your FTP server in this way allows you to encrypt your data and login information without having to get 3rd party programs. With explicit SSL/TLS you will need a FTP client. Internet Explorer and Firefox don't support SSL/TLS without special plugins. FireZilla client supports FTPS both implicit (FTPS:// protocol), and explicit (FTPES://).
Setting up your FTP server in this way allows you to encrypt your data and login information without having to get 3rd party programs. With explicit SSL/TLS you will need a FTP client. Internet Explorer and Firefox don't support SSL/TLS without special plugins.

Revision as of 16:05, 17 July 2009

Configuration

First you'll want to create a certificate, this can be used in the Certificate Generator in FileZilla Server. The Generator will want country code, state, city, etc.. This information doesn't need to be correct at all, it is just used to generate the hash used to encrypt and decrypt the data being sent by the server and client.

Encryption strength for the certificate is chosen at the top of the generator: 1024bit, 2048bit, 4096bit. The bigger the hash encryption the more secure the data and account information will be. There is however one thing that needs to be taken into account, CPU utilization. When you apply encryption to your FileZilla server the CPU will have to do many calculations to encrypt the data being sent and decrypt the data being received. Bandwidth will also play a factor in how much the CPU is being utilized. If you have a slower connection, lets say around 1.5mbps up you may not have to worry about CPU utilization as much. The best way to decide is to test.

Please note that FZS needs the paths to the certificate files:

If you generate your own private key and certificate without putting a path in front of the file name, FZS only puts the bare filename in the certificate field without an error notice, but later you will get "Could not load certificate file" errors in the FZS log when someone tries to connect via FTPS/FTPES (Implicit/Explicit).

Therefore always put the full path to the private key and certificate files in their corresponding fields and FZS can find the files.

After you have created the certificate enter its name and folder path location into the "Private key file" field or browse to it.

If your server has a direct connection to the internet the configuration is simple, check "Enable SSL/TLS Support".

More SFTP documentation is available here.

Configure with NAT

Please read the Network Configuration guide for instructions how to configure the server behind NAT devices.

Enable Explicit SSL/TLS

In the SSL/TLS settings menu check "allow Explicit SSL/TLS on normal connections." I recommend also checking "Force Explicit SSL/TLS" and "Force PROT P to encrypt data Channel in SSL/TLS mode." This will further enforce encryption policies. If you only want certain groups or users to have encryption you can set that up in the user or group editor. If there is data you still want available to the general public the "Force" setting should be disabled in the server settings menu, as you will need an FTP client rather than a web browser to access the FTP server.

Setting up your FTP server in this way allows you to encrypt your data and login information without having to get 3rd party programs. With explicit SSL/TLS you will need a FTP client. Internet Explorer and Firefox don't support SSL/TLS without special plugins. FireZilla client supports FTPS both implicit (FTPS:// protocol), and explicit (FTPES://).