Editing FTPS using Explicit TLS howto (Server)
From FileZilla Wiki
Jump to navigationJump to searchWarning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
== Configuration == | == Configuration == | ||
− | |||
− | |||
− | + | First you'll want to create a certificate, this can be used in the Certificate Generator in FileZilla Server. The Generator will want country code, state, city, etc.. This information doesn't need to be correct at all, it is just used to generate the hash used to encrypt and decrypt the data being sent by the server and client. | |
− | |||
− | |||
− | + | Encryption strength for the certificate is chosen at the top of the generator: 1024bit, 2048bit, 4096bit. | |
− | + | The bigger the hash encryption the more secure the data and account information will be. Their is however one thing that needs to be taken into account, CPU utilization. When you apply encryption to your FileZilla server the CPU will have to do many calculations to encrypt the data being sent and decrypt the data being received. | |
+ | Bandwidth will also play a factor in how much the CPU is being utilized. If you have a slower connection, lets say around 1.5mbps up you may not have to worry about CPU utilization as much. The best way to decide is to test. | ||
+ | After you have created the Certificate enter its location into the "Private key file" field, or browse to it. | ||
− | + | If your server has a direct connection to the internet the configuration is simple, check "Enable SSL/TLS Support". | |
− | |||
− | |||
− | |||
− | If your server has a direct connection to the internet the configuration is simple, check "Enable | ||
− | |||
− | |||
== Configure with NAT == | == Configure with NAT == | ||
− | + | If you are behind NAT the transmission process can be tricky. If you are setting up SSL/TLS you may have seen "425 data connection could not be opened". While using NAT and using SSL/TLS you can't use Active FTP you have to use passive. Passive is a client side option, but passive doesn't use port 20 and 21. To minimize the available ports open to the internet you will want to set a custom range of ports. In the "Passive mode settings" menu in the server you'll want to check "Use custom port range:" set the ports you want yo use for passive mode. make sure you add these ports to port forwarding on your NAT device (Router). | |
− | + | Enable Explicit SSL/TLS | |
− | + | In the SSL/TLS settings menu check "allow Explicit SSL/TLS on normal connections", I recommend also checking "Force Explicit SSL/TLS" and "Force PROT P to encrypt data Channel in SSL/TLS mode", this will further enforce encryption policies. If you only want certain groups or users to have encryption you can set that up in the user or group editor. If there is data you still want available to the general public the "Force" setting should be disabled in the server settings menu, as you will need an FTP client rather than a web browser to access the FTP server. | |
− | |||
− | Setting up your FTP server in this way allows you to encrypt your data and login information | + | Setting up your FTP server in this way allows you to encrypt your data and login information with having to get 3rd party programs. With explicit SSL/TLS you will need a FTP client, IE and Fire Fox don't support SSL/TLS without special Plug-ins. |