Difference between revisions of "FTP over TLS"

From FileZilla Wiki
Jump to navigationJump to search
m (Reverted edits by 178.84.24.209 (talk) to last revision by CodeSquid)
Tag: Rollback
(23 intermediate revisions by 10 users not shown)
Line 3: Line 3:
 
=== Server Setup ===
 
=== Server Setup ===
  
Open the admin interface, and go to settings. Choose SSL/TLS (FTPS) settings, and choose to generate a new certificate. The two digit country code can be found by googleing (United States is just US - it can be confusing that two digit can be two letters, and not necessarily two numbers only).  
+
Open the admin interface, and go to settings. Choose ''FTP over TLS settings'', and choose to generate a new certificate. The two digit country code can be found by searching the web (United States is just US - it can be confusing that two digit can be two letters, and not necessarily two numbers only).  
  
Once you have generated the certificate, and chosen where to save it, filezilla will auto fill in the private key file, and the certificate file fields to point to the generated certificate.  
+
Once you have generated the certificate, and chosen where to save it, FileZilla will auto fill in the private key file, and the certificate file fields to point to the generated certificate.  
  
At this point, you can either choose to allow SSL/TLS if the user opts, or you can force them to always use SSL/TLS, and not allow them to connect if they do not use it.
+
At this point, you can either choose to allow FTP over TLS if the user opts, or you can force them to always use FTP over TLS, and not allow them to connect if they do not use it.
  
PROT P refers to the data transfers. Communication with the server is always encrypted if you use SSL/TLS.<br>
+
PROT P refers to the data transfers. Communication with the server is always encrypted if you use FTP over TLS.<br>
 
Communication encrypted: PROT C, Communication+Data encrypted: PROT P.
 
Communication encrypted: PROT C, Communication+Data encrypted: PROT P.
  
 
If PROT P isn't enforced, client could send PROT C and transfer files unencrypted. If PROT P is enforced, PROT C is rejected.
 
If PROT P isn't enforced, client could send PROT C and transfer files unencrypted. If PROT P is enforced, PROT C is rejected.
  
Also see [[FTPS_using_Explicit_SSL/TLS_howto_(Server)|FTPS using Explicit SSL/TLS howto (Server)]].
+
Also see [[FTPS_using_Explicit_TLS_howto_(Server)|FTPS using Explicit TLS howto (Server)]].
  
 
=== Client Setup ===
 
=== Client Setup ===
  
For a client to connect to a server using SSL, then the host for that connection needs to be set to FTPS. In FileZilla client this means prefixing the host with "FTPES://" for "explicit" FTPS, or "FTPS://" for the legacy "implicit" FTPS.
+
For a client to connect to a server using TLS, then the host for that connection needs to be set to FTPS. In FileZilla client this means prefixing the host with "FTPES://" for "explicit" FTPS, or "FTPS://" for the legacy "implicit" FTPS.
  
 
==== Certificate Removal ====
 
==== Certificate Removal ====
Line 24: Line 24:
 
The file {{Path|trustedcerts.xml}} contains certificates for secure websites that you have told your FileZilla client to trust connections to. This file should not be confused with any certificates you have in use if you use FileZilla as a server as well.
 
The file {{Path|trustedcerts.xml}} contains certificates for secure websites that you have told your FileZilla client to trust connections to. This file should not be confused with any certificates you have in use if you use FileZilla as a server as well.
  
-----BEGIN CERTIFICATE-----
+
===== Windows =====
 +
In order to remove a saved certificate, navigate to {{Path|%APPDATA%\FileZilla}} and delete, rename or modify the {{Path|trustedcerts.xml}} file.
  
MIIDsDCCApgCCQDwt4aWRqzsBzANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMC
+
===== Linux, OS X and others =====
 
 
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExETAPBgNVBAcMCFNhbiBKb3NlMQ0wCwYD
 
 
 
VQQKDARIR1NUMQswCQYDVQQLDAJJVDEjMCEGA1UEAwwaSEdTVCBXZWIgQ29udGVu
 
 
 
dCBJbnNwZWN0b3IxITAfBgkqhkiG9w0BCQEWElBLSV9BZG1pbkBoZ3N0LmNvbTAe
 
 
 
Fw0xNDEwMTYyMTI4NTFaFw0xOTEwMTUyMTI4NTFaMIGZMQswCQYDVQQGEwJVUzET
 
 
 
MBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UEBwwIU2FuIEpvc2UxDTALBgNVBAoM
 
 
 
BEhHU1QxCzAJBgNVBAsMAklUMSMwIQYDVQQDDBpIR1NUIFdlYiBDb250ZW50IElu
 
 
 
c3BlY3RvcjEhMB8GCSqGSIb3DQEJARYSUEtJX0FkbWluQGhnc3QuY29tMIIBIjAN
 
 
 
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7tX8Nxb/iVbeTyEpWCHJ5HWP79b0
 
 
 
gZNkhG7KWKIt9SJ/yBK+TtzxdCYxS8IpYVT4v8KkMcE5NRzgbh4zBpdz7F6g+FNy
 
 
 
kBT8zKdS6q1wJEnSu6ItysaR3/LTE5TA7svDqTkFaDKrJCnzxeAPOIUe/iZ5kDiJ
 
 
 
qD9rDxbMmzXNSzDHclEWOL+vlXRSwYyuOj5nR3oketOmaWI/yk/E/0ucACEAP73Y
 
 
 
AAzuusyGJQt1ouTTI3Xtb04hOwUVUYHCpGml6dkTfttx7azfgBp7ShOW4EHuOWFr
 
 
 
0dtkjWLjTj14EzfWICHgnCb9268oE4SsrfGQbfp9tB5mZpIqBuxI6jGR1QIDAQAB
 
 
 
MA0GCSqGSIb3DQEBBQUAA4IBAQA+N7PjSg+A8vAjpoKZdaRAbOU/p3Ag5lbglDfG
 
 
 
6OQ2w/WsSqvXsLY8wXkyBrFjod8vrUmDFKMkYCv7kQozQVlRXsaWc0Ui4WVuB/In
 
 
 
vCzcj/jjzIt4rHR+W931+Tc5a98OmSOS7VzNNa54bM1NPnHT2QOc+lxpN8BmB/qb
 
 
 
J9revVJcv5q6Y9VgLNj7yLv5L+U4DaYpUTIqWoeWnsp/GXtkffED3PJoNThlXP6i
 
 
 
k3MZ1EIe2sxRSn8CXsCeHZYw44HsH5/u+x5pW6hI0x9BVU1r3AM5U6T66tkUK/Qw
 
 
 
Raz4+lkemzcsZl4ohLqK9fnb6nqVEtL36PE0cg7vtZFsMaDy
 
 
 
-----END CERTIFICATE-----
 
 
 
===== Linux =====
 
  
 
In order to remove a saved certificate rename or modify the file {{Path|~/.config/filezilla/trustedcerts.xml}}.
 
In order to remove a saved certificate rename or modify the file {{Path|~/.config/filezilla/trustedcerts.xml}}.
Line 75: Line 34:
  
 
== Explicit vs Implicit FTPS ==
 
== Explicit vs Implicit FTPS ==
 +
FTPS (FTP over TLS) is served up in two incompatible modes. If using explicit FTPS, the client connects to the normal FTP port and explicitly switches into secure (TLS) mode with "AUTH TLS", whereas implicit FTPS is an older style service that assumes TLS mode right from the start of the connection (and normally listens on TCP port 990, rather than 21). In a FileZilla client this means prefixing the host with "FTPES://" to connect an  "explicit" FTPS server, or "FTPS://" for the legacy "implicit" server (for which you will likely also need to set the port to 990).
  
FTPS (SSL/TLS) is served up in two incompatible modes. If using explicit FTPS, the client connects to the normal FTP port and explicitly switches into secure (SSL/TLS) mode with "AUTH TLS", whereas implicit FTPS is an older style service that assumes SSL/TLS mode right from the start of the connection (and normally listens on TCP port 990, rather than 21). In a FileZilla client this means prefixing the host with "FTPES://" to connect an  "explicit" FTPS server, or "FTPS://" for the legacy "implicit" server (for which you will likely also need to set the port to 990).
+
== TLS (FTPS) vs SSH (SFTP) ==
 
 
== SSL/TLS (FTPS) vs SSH (SFTP) ==
 
  
FTPS (FTP encrypted with SSL/TLS) should not be confused with SFTP (SSH). The latter is a completely different protocol, with more information [[Howto|here]].
+
FTPS (FTP encrypted with TLS) should not be confused with SFTP (SSH). The latter is a completely different protocol, with more information [[Howto|here]].

Revision as of 10:04, 3 July 2020

Setup

Server Setup

Open the admin interface, and go to settings. Choose FTP over TLS settings, and choose to generate a new certificate. The two digit country code can be found by searching the web (United States is just US - it can be confusing that two digit can be two letters, and not necessarily two numbers only).

Once you have generated the certificate, and chosen where to save it, FileZilla will auto fill in the private key file, and the certificate file fields to point to the generated certificate.

At this point, you can either choose to allow FTP over TLS if the user opts, or you can force them to always use FTP over TLS, and not allow them to connect if they do not use it.

PROT P refers to the data transfers. Communication with the server is always encrypted if you use FTP over TLS.
Communication encrypted: PROT C, Communication+Data encrypted: PROT P.

If PROT P isn't enforced, client could send PROT C and transfer files unencrypted. If PROT P is enforced, PROT C is rejected.

Also see FTPS using Explicit TLS howto (Server).

Client Setup

For a client to connect to a server using TLS, then the host for that connection needs to be set to FTPS. In FileZilla client this means prefixing the host with "FTPES://" for "explicit" FTPS, or "FTPS://" for the legacy "implicit" FTPS.

Certificate Removal

The file trustedcerts.xml contains certificates for secure websites that you have told your FileZilla client to trust connections to. This file should not be confused with any certificates you have in use if you use FileZilla as a server as well.

Windows

In order to remove a saved certificate, navigate to %APPDATA%\FileZilla and delete, rename or modify the trustedcerts.xml file.

Linux, OS X and others

In order to remove a saved certificate rename or modify the file ~/.config/filezilla/trustedcerts.xml.

Please note that older FileZilla versions used ~/.filezilla/trustedcerts.xml.

Explicit vs Implicit FTPS

FTPS (FTP over TLS) is served up in two incompatible modes. If using explicit FTPS, the client connects to the normal FTP port and explicitly switches into secure (TLS) mode with "AUTH TLS", whereas implicit FTPS is an older style service that assumes TLS mode right from the start of the connection (and normally listens on TCP port 990, rather than 21). In a FileZilla client this means prefixing the host with "FTPES://" to connect an "explicit" FTPS server, or "FTPS://" for the legacy "implicit" server (for which you will likely also need to set the port to 990).

TLS (FTPS) vs SSH (SFTP)

FTPS (FTP encrypted with TLS) should not be confused with SFTP (SSH). The latter is a completely different protocol, with more information here.