Setup Xlight FTP Server with SSL/TLS protocol
Xlight FTP Server can use SSL/TLS with the standard FTP protocol to encrypt the control and/or data channels. Xlight FTP Server supports two methods of FTP protocol over SSL: Explicit SSL and Implicit SSL.
Explicit SSL is a mechanism by which if FTP client wants to encrypt the control connection, it has to explicitly issue AUTH command such as "AUTH TLS" or "AUTH SSL" to initiate SSL handshake and establish a secure control connection with FTP server. The AUTH command have to be issued before FTP client logins. If it is not issued, the control connection with FTP server will stay unencrypted.
Implicit SSL is a mechanism by which FTP server requires that FTP client must initiate SSL handshake and establish a secure control connection before any FTP commands are sent to server. If FTP client doesn't support SSL or it can not successfully establish a secure control connection, FTP server will not response to any FTP requests from this client.
In this example, we will demonstrate the procedure of using SSL/TLS function in Xlight FTP Server. Note: after 30-day evaluation period, this function is only supported by the Standard and Professional edition of Xlight FTP Server.
Create and select a valid server certificate
To use SSL/TLS function, the first thing you have to do is to create a self-signed certificate or select a existing X.509 certificate as server certificate. This certificate can be a real certificate signed by a valid CA or a self-signed certificate.
Server certificates used by Xlight FTP Server must be stored inside the "Personal" ("My") certificate store of the "computer account" ("local Machine") in Windows. The certificate store location used by Xlight FTP Server is the same as Microsoft IIS web server. So if there is an valid IIS certificate in the same location, you should be able to use it for your ftp server also.
1. Go to [Global Options] -> [Advanced] -> [Server SSL Certificate] to create or select a server certificate. In this example, we had already created a self-signed certificate with CN "test-cert" and we select it as the server certificate as showed in the picture below.
2. Go to [Virtual Server Configuration] -> [General] -> [Enable SSL for Virtual Server] to select the SSL mode you want to use. In this example, we select the Implicit SSL as showed in the picture below.
After above steps, the SSL/TLS function with the server certificate has been setup. You can now encrypt the control and/or data channels between FTP client and server.
Use SSL client authentication
Xlight FTP Server supports SSL client authentication. SSL client authentication is another way of authenticating a client to FTP server. After enabling SSL client authentication, during SSL handshake process, FTP client must send a valid X.509 client certificate to FTP server. This client certificate will contain information about this user and identifies this user to the FTP server.
1. Client certificate must be obtained from a trusted CA. You can not use self-signed certificate as client certificate. The CA that issues certificates to client must be located in the Trusted Root Certificate Authorities of "local Machine" certificate store. Otherwise FTP client can not pass the SSL client authentication. As showed in the Microsoft mmc tool's certificate snapshot below.
2. SSL client authentication is supported under Implicit SSL. Go to [Virtual Server Configuration] -> [General] -> [Enable SSL for Virtual Server], select "Require Client Certificate" as showed below.
After above steps, you have setup the SSL client authentication function.
Troubleshooting:
1. For SSL/TLS encryption to work, you must use FTP clients supporting SSL/TLS encryption. FTP clients inside browsers such as IE and Firefox etc currently won't support FTP over the SSL/TLS protocol, so you can not use them to connect to FTP Server requiring SSL/TLS encryption.
2. If your FTP server is behind firewall, for SSL/TLS connection to work you must manually setup port forwarding. You can click here for detailed information about how to setup port forwarding.