VanDyke Software



Overview of FTPS Configuration in the VShell® Server

The FTPS protocol

FTPS is a secure file transfer option that uses the same protocol as FTP. All data sent or received using FTPS is protected by TLS (Transport Layer Security) based encryption. For more information on the protocol, please see the IETF RFC document 4217.

General description of the VShell FTPS server

Most of the VShell configuration options are shared between the VShell FTPS server, the VShell SSH2 (SFTP) server, and the VShell HTTPS server (available with the HTTPS Enterprise edition for Windows).

Shared options include access control settings, connection filters, deny host, virtual roots, triggers, logging, the VShell internal user database, and others.

There are several options that are specific to the FTPS service:

  • The Require encrypted connections FTPS option is used to control whether unencrypted connections are allowed. If this option is disabled, plaintext FTP connections will be allowed to any explicit listen addresses configured. Leaving the option enabled prevents unencrypted connections, and also prevents the client from dropping the encryption on the control or data channel after connected.
  • The Listen Addresses page allows the configuration of implicit and explicit addresses on which VShell FTPS will listen for incoming connections. By default, VShell FTPS listens on IP address, which means that VShell will listen on all network interface cards (NICs). The default port is 990 for implicit addresses and 21 for explicit addresses. Multiple implicit and explicit addresses can be configured.
  • The difference between implicit and explicit addresses is the mechanism by which the encrypted session is established. When a connection comes in to an explicit address, the TLS negotiation is not started until the client sends the "AUTH TLS" command indicating to the server that this connection needs to be protected. In contrast, when a connection comes in to an implicit address, VShell FTPS will immediately and unconditionally start negotiating a TLS connection.

In order for the TLS negotiation to succeed, VShell FTPS must be configured to use a certificate. A certificate must be specified for each listen address configured. A certificate can be specified or created while editing or adding listen addresses.

  1. Open the Control Panel and go to the FTPS Listen Addresses page.
  2. Either click on the Add... button or select an existing listen address and click on the Edit... button.
  3. On the Add/Edit dialog, click on the Create... button.
  4. Fill in the fields on the Create Certificate dialog. The Common name field is most important as it needs to match the hostname or IP of the machine on which the VShell server is running.
  5. Select the Generate button.
  6. Select OK on the Add/Edit dialog.

Rather than creating a self-signed certificate, VShell FTPS can also be configured to use a pre-existing certificate for TLS negotiation. The certificate must meet the following requirements:

  • The certificate's Enhanced Key Usage field must be set to or include Server Authentication.
  • If the certificate is a self-signed certificate, the Authority Key Identifier must include the Certificate Serial Number specification, which must match the Serial Number field of that same certificate.

The listen addresses can all use the same certificate or a unique certificate can be specified for each address.

VanDyke Software uses cookies to give you the best online experience. Before continuing to use this site, please confirm that you agree to our use of cookies. Please see our Cookie Usage for details.