Google Git
Sign in
apache / mina-site / refs/heads/asf-site / . / content / ftpserver-project / configuration_ssltls_support.html
blob: d9de4c6580ed48b7d564a56d284b39ccedc549a4 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<title>FtpServer TLS-SSL Support &mdash; Apache MINA</title>
<link href="/assets/css/common.css" rel="stylesheet" type="text/css"/>
<link href="/assets/css/ftpserver.css" rel="stylesheet" type="text/css"/>
</head>
<body>
<script src="https://www.apachecon.com/event-images/snippet.js"></script>
<div id="container">
<div id="header">
<div id="subProjectsNavBar">
<a href="/">
Apache MINA Project
</a>
&nbsp;|&nbsp;
<a href="/mina-project/">
MINA
</a>
&nbsp;|&nbsp;
<a href="/asyncweb-project/">
AsyncWeb
</a>
&nbsp;|&nbsp;
<a href="/ftpserver-project/">
<strong>FtpServer</strong>
</a>
&nbsp;|&nbsp;
<a href="/sshd-project/">
SSHD
</a>
&nbsp;|&nbsp;
<a href="/vysper-project/">
Vysper
</a>
</div>
</div>
<div id="content">
<div id="leftColumn">
<div id="navigation">
<a class="acevent" data-format="wide" data-width="170"></a>
<h5>Social Networks</h5>
<ul>
<li><a href="https://fosstodon.org/@apachemina">Apache MINA Mastodon</a></li>
</ul>
<h5>Overview</h5>
<ul>
<li><a href="/ftpserver-project/index.html">Home</a> </li>
<li><a href="/ftpserver-project/features.html">Features</a> </li>
<li><a href="/ftpserver-project/download_1_1.html">FtpServer 1.1.4</a></li>
<li><a href="/ftpserver-project/download_1_2.html">FtpServer 1.2.0</a></li>
<li><a href="/ftpserver-project/old-downloads.html">Old Downloads</a></li>
<li><a href="/ftpserver-project/documentation.html">Documentation</a></li>
<li><a href="/ftpserver-project/gen-docs/latest-1.1/apidocs/index.html" class="external-link" rel="nofollow">API Javadoc 1.1.4</a></li>
<li><a href="/ftpserver-project/gen-docs/latest-1.2/apidocs/index.html" class="external-link" rel="nofollow">API Javadoc 1.2.0</a></li>
<li><a href="/ftpserver-project/getting_source.html">Sources</a></li>
<li><a href="/ftpserver-project/faq.html">FAQ</a></li>
<li><a href="/ftpserver-project/related_project.html">Related Project</a></li>
</ul>
<h5>Community</h5>
<ul>
<li><a href="/ftpserver-project/mailing_list.html">Mailing Lists</a></li>
<li><a href="/ftpserver-project/getting_involved.html">Getting Involved</a></li>
<li><a href="/ftpserver-project/reporting_bug.html">Reporting a Bug</a></li>
<li><a href="/ftpserver-project/contributors.html">Contributors</a></li>
<li><a href="https://www.apache.org/foundation/contributing.html">Contributing</a></li>
<li><a href="https://www.apache.org/licenses/">License</a></li>
<li><a href="https://www.apache.org/security/">Security</a></li>
</ul>
<h5>Sponsorship</h5>
<ul>
<li><a href="https://www.apache.org/foundation/thanks.html">Thanks</a></li>
<li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li><a href="https://www.apache.org/">apache.org</a></li>
</ul>
</div>
</div>
<div id="rightColumn">
<h1 id="tls-ssl-support">TLS-SSL Support</h1>
<p>This document explains how to enable Apache FTP Server to use Transport Layer Security (TLS) for encrypted client-server communication.</p>
<p>FtpServer uses the Java Secure Sockets Extension (JSSE) infrastructure to provide TLS/SSL sockets. JSSE comes packaged with several vendor Java distributions (i.e. Sun Java 1.4.x, IBM Java 1.3.x). For these distributions, please follow the vendor provided instructions for configuring the JVM to use JSSE services.</p>
<h2 id="security-mode">Security mode</h2>
<h3 id="explicit-security-default">Explicit Security (default)</h3>
<p>In this mode server supports both secure and non-secure connection. Upon request from client (AUTH SSL) the server switches to the SSL/TLS mode.</p>
<p>In this case, the listener should not use implicit SSL (the default value):</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-xml" data-lang="xml"><span style="color:#008000;font-weight:bold">&lt;nio-listener</span> <span style="color:#b44">name=</span><span style="color:#b44">&#34;default&#34;</span> <span style="color:#b44">implicit-ssl=</span><span style="color:#b44">&#34;false&#34;</span><span style="color:#008000;font-weight:bold">&gt;</span>
</code></pre></div><h3 id="implicit-security">Implicit Security</h3>
<p>If you want to use implicit SSL connection, that is, SSL is always enabled on the control socket. The first thing you need to do is to tell the listener to use implicit SSL mode:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-xml" data-lang="xml"><span style="color:#008000;font-weight:bold">&lt;nio-listener</span> <span style="color:#b44">name=</span><span style="color:#b44">&#34;default&#34;</span> <span style="color:#b44">implicit-ssl=</span><span style="color:#b44">&#34;true&#34;</span><span style="color:#008000;font-weight:bold">&gt;</span>
</code></pre></div><p>If you set the listener to use implicit security, enabling implicit security for the data connection should be considered</p>
<h3 id="data-connection-security">Data connection security</h3>
<p>Implicit secure listener does not ensure encrypted data transfer. To use SSL/TLS in data connection, client either has to send &ldquo;PROT P&rdquo; command or implicit security must be enabled for the data connection.</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-xml" data-lang="xml"><span style="color:#008000;font-weight:bold">&lt;data-connection</span> <span style="color:#b44">implicit-ssl=</span><span style="color:#b44">&#34;true&#34;</span><span style="color:#008000;font-weight:bold">&gt;</span>
</code></pre></div><p>If no explicit configuration for SSL keystores and truststores is provided for the data connection, it will be inherited from the listener. This is the normal configuration.</p>
<p>Different FTP clients behave different with regards to implicit security on the data connection, some assume an SSL enabled socket, while some will always send a &ldquo;PROT P&rdquo; command. The following table shows the characteristics of some clients, please report others.</p>
<table>
<thead>
<tr>
<th>FTP client</th>
<th>Behavior</th>
</tr>
</thead>
<tbody>
<tr>
<td>FileZilla</td>
<td>Sends &ldquo;PROT P&rdquo; command automatically in implicit security mode</td>
</tr>
<tr>
<td>DartFTP/PowerTCP</td>
<td>Assumes an SSL enabled data connection, does not send &ldquo;PROT P&rdquo;</td>
</tr>
</tbody>
</table>
<h3 id="detailed-configuration">Detailed configuration</h3>
<p>Full documentation on all provided configuration is available on the <a href="configuration_listeners.html">Listeners</a> page</p>
</div>
<div id="endContent"></div>
</div>
<div id="footer">
&copy; 2003-2024, <a href="https://www.apache.org">The Apache Software Foundation</a> - <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br />
Apache MINA, MINA, Apache Vysper, Vysper, Apache SSHd, SSHd, Apache FtpServer, FtpServer, Apache AsyncWeb, AsyncWeb,
Apache, the Apache feather logo, and the Apache Mina project logos are trademarks of The Apache Software Foundation.
</div>
</div>
</body>
</html>