VanDyke Software

Tips

Index

Overview of FTPS Configuration in the VShell® Server

The FTPS protocol

FTP over SSL (FTPS) provides a secure file transfer option using the FTP protocol in which all data sent or received can be protected by SSL (Secure Socket Layer) and TLS (Transport Layer Security) based encryption. For more information on the protocol, please see the IETF RFC document 4217.

General description of the VShell server with FTPS

The VShell server with FTPS is delivered as a separate download, installation, and executable module from the standard VShell with Secure Shell/SFTP support. Both are available from the VanDyke Software website. VShell with FTPS also supports SFTP and honors many existing VShell configuration options. These include access control settings, connection filters, deny host, virtual roots, triggers, logging, and the new VShell internal user database. There are several options that are specific to the FTPS service:

  • The Require encrypted connections FTPS option is used to control whether unencrypted connections are allowed. If this option is disabled, plaintext FTP connections will be allowed to any explicit listen addresses configured. Leaving the option enabled prevents unencrypted connections, and also prevents the client from dropping the encryption on the control or data channel after connected.
  • The Listen Addresses page allows the configuration of implicit and explicit addresses on which VShell FTPS will listen for incoming connections. By default, VShell FTPS listens on IP address 0.0.0.0, which means that VShell will listen on all network interface cards (NICs). The default port is 990 for implicit addresses and 21 for explicit addresses. Multiple implicit and explicit addresses can be configured.
  • The difference between implicit and explicit addresses is the mechanism by which the encrypted session is established. When a connection comes in to an explicit address, the SSL negotiation is not started until the client sends the "AUTH TLS" command indicating to the server that this connection needs to be protected. In contrast, when a connection comes in to an implicit address, VShell FTPS will immediately and unconditionally start negotiating an SSL connection.

In order for the SSL negotiation to succeed, VShell FTPS must be configured to use a certificate. A certificate must be specified for each listen address configured. A certificate can be specified or created while editing or adding listen addresses.

  1. Open the Control Panel and go to the FTPS Listen Addresses page.
  2. Either click on the Add... button or select an existing listen address and click on the Edit... button.
  3. On the Add/Edit dialog, click on the Create... button.
  4. Fill in the fields on the Create Certificate dialog. The Common name field is most important as it needs to match the hostname or IP of the machine on which the VShell server is running.
  5. Select the Generate button.
  6. Select OK on the Add/Edit dialog.

Rather than creating a self-signed certificate, VShell with FTPS can also be configured to use a pre-existing certificate for SSL/TLS negotiation. The certificate must meet the following requirements:

  • The certificate's Enhanced Key Usage field must be set to or include Server Authentication.
  • If the certificate is a self-signed certificate, the Authority Key Identifier must include the Certificate Serial Number specification, which must match the Serial Number field of that same certificate.

The listen addresses can all use the same certificate or a unique certificate can be specified for each address.

Licensing and upgrade options for VShell with FTP/SSL

The FTPS version of VShell is available in Administrator, Workgroup, and Enterprise editions. New license and upgrade pricing can be found on the VanDyke Software website.