Set up Xlight FTP Server with SSL/TLS protocol
Xlight FTP Server can use SSL/TLS with the standard FTP protocol to encrypt the control and/or data channels. Xlight FTP Server supports two methods of FTP protocol over SSL: Explicit SSL and Implicit SSL.
Explicit SSL is a mechanism by which if an FTP client wants to encrypt the control connection, it has to explicitly issue an AUTH command such as "AUTH TLS" or "AUTH SSL" to initiate the SSL handshake and establish a secure control connection with the FTP server. The AUTH command has to be issued before FTP client logins. If it is not issued, the control connection with the FTP server will stay unencrypted.
Implicit SSL is a mechanism by which the FTP server requires that the FTP client initiates an SSL handshake and establishes a secure control connection before any FTP commands are sent to the server. If the FTP client doesn't support SSL or it can not successfully establish a secure control connection, the FTP server will not respond to any FTP requests from this client.
In this example, we will demonstrate the procedure of using the SSL/TLS function in the Xlight FTP Server. Note: after the 30-day evaluation period, this function is only supported by the Standard and Professional editions of the Xlight FTP Server.
Create and select a valid server certificate
To use the SSL/TLS function, the first thing you have to do is to create a self-signed certificate or select an existing X.509 certificate as a server certificate. This certificate can be a real certificate signed by a valid CA or a self-signed certificate.
Server certificates used by Xlight FTP Server must be stored inside the "Personal" ("My") certificate store of the "computer account" ("local Machine") in Windows. The certificate store location used by the Xlight FTP Server is the same as the Microsoft IIS web server. So if there is a valid IIS certificate in the same location, you should be able to use it for your FTP server also.
1. Go to [Global Options] -> [Advanced] -> [Server SSL Certificate] to create or select a server certificate. In this example, we had already created a self-signed certificate with CN "test-cert" and we selected it as the server certificate as shown in the picture below.
2. Go to [Virtual Server Configuration] -> [General] -> [Enable SSL for Virtual Server] to select the SSL mode you want to use. In this example, we select the Implicit SSL as shown in the picture below.
After the above steps, the SSL/TLS function with the server certificate has been set up. You can now encrypt the control and/or data channels between the FTP client and server.
Use SSL client authentication
Xlight FTP Server supports SSL client authentication. SSL client authentication is another way of authenticating a client to an FTP server. After enabling SSL client authentication, during the SSL handshake process, the FTP client must send a valid X.509 client certificate to the FTP server. This client certificate will contain information about this user and identifies this user to the FTP server.
1. Client certificate must be obtained from a trusted CA. You can not use a self-signed certificate as a client certificate. The CA that issues certificates to the client must be located in the Trusted Root Certificate Authorities of the "local Machine" certificate store. Otherwise, the FTP client can not pass the SSL client authentication. As shown in the Microsoft MMC tool's certificate snapshot below.
2. SSL client authentication is supported under Implicit SSL. Go to [Virtual Server Configuration] -> [General] -> [Enable SSL for Virtual Server], and select "Require Client Certificate" as shown below.
After the above steps, you have set up the SSL client authentication function.
Troubleshooting:
1. For SSL/TLS encryption to work, you must use FTP clients supporting SSL/TLS encryption. FTP clients inside browsers such as IE and Firefox etc currently won't support FTP over the SSL/TLS protocol, so you can not use them to connect to FTP Server requiring SSL/TLS encryption.
2. If your FTP server is behind a firewall, for SSL/TLS connection to work you must manually set up port forwarding. You can click here for detailed information about how to set up port forwarding.