|Ocean FTP Server
Help, configuration and tips.
Tutorial: Using SSL
This page explains how to set up SSL to send and receive files securely via FTP. For more detailed information on what each option of the 'Security' dialog performs please read the Security section.
What is SSL?
The Secure Socket Layer (SSL) is used to encrypt data as it is sent down a connection. This protects data being intercepted for malicious use via what is referred to as a 'man in the middle' attack. With SSL, if any information is intercepted it will be useless without the relevant information needed to decrypt it. Therefore, when using SSL, you have a guarantee that the files you send and receive are always safe and secure.
SSL also deals with authenticating both client and server by using certificates to validate their identity. This is especially important with FTP for preventing a 'masquerade' attack. This is where a 3rd party can actually pretend to be your server in order to gain sensitive material or send harmful viruses to your users. SSL certificates ensure that the server you are connecting to is the server you intended to connect to.
When using SSL with Ocean FTP Server, there are a few things that you need to understand in order to configure your server correctly. First of all, the server must have a default certificate set which the SSL connections will use. This is also used to validate the servers identity to clients. It is also important to realize that FTP uses two connections; one for commands and a separate connection for file transfers. Ocean FTP Server supports two different modes for which SSL can be used, these are 'Explicit SSL' and 'Implicit SSL'.
Explicit SSL operates such that a connection to the server is made on the normal FTP port (default port 21). Communication initially starts in plain text until the client issues an 'AUTH SSL' or 'AUTH TLS' command, which then leads to certificate verification and a secure SSL connection being negotiated. If all goes well, then the server and client will proceed to send all further commands and replies encrypted using SSL.
This allows the server to specify a different port for SSL communication (default port 990). Any connections made to this port require immediate negotiation of certificates and SSL, avoiding any communication in plain text whatsoever.
Data Channel Encryption
The security standard for FTP states that the data channel remains insecure by default. This means that SSL encryption would usually only be enabled on the command channel. Although this would protect from eavesdropping of user names, passwords and file locations, the uploaded and downloaded files would remain vulnerable. By setting the data channel to be encrypted by default, the FTP client does not have to implicitly state encryption of the data channel. However, you must ensure that the FTP client is able to deal with an automatically encrypted data channel.
On the Security tab of the settings dialog for Ocean FTP Server, there is a button that will take you to the certificate management area. This area allows you to create and also import certificates to be used with the server's SSL communication. To use SSL, you must have at least one certificate installed in Ocean FTP Server and you must also select one certificate as the default.
Creating new certificates is the simplest method of acquiring a certificate. Simply click 'Create' and fill in the necessary information. If you are unsure of any field, you can always press F1 on any open dialog to open the manual on the relevant page. All certificates require a private key and Ocean FTP Server will either create a 512 bit key or 1024 bit key depending on your selection. Larger private keys will provide stronger security on your connections and so a 1024 bit key is recommended. Once all fields are completed, simply click 'Create' again and your new certificate will be generated and ready to use.
Certificate Signing Requests (CSR)
When you create a new certificate using Ocean FTP Server, three files releated to that certificate are generated in the 'certs' folder (usually C:\Program Files\Code Ocean\Ocean FTP Server\certs). These include are a private key (.key) file, a certificate signing request (.csr) and a self signed certificate (.crt). Normally, you use the self signed certificate and corresponding private key for SSL communication. However, if you want to have your certificates signed by a trusted certificate authority, such as VeriSign, you will need to send them the certificate signing request (.csr) file. They can then sign this and send you back a new certificate (.crt or .cer) file. To use this new certificate you must import this back into Ocean FTP Server using the original private key (.key) and newly signed certificate (.crt or .cer). For more details on importing certificates, please read the next section.
If you choose to import an existing certificate, you must have access to the certificate file and the relevant private key used to create it. These can be in a range of formats. Usually a private key is contained in a .key file and the certificate in either a .crt or .cer file. However, it is also common to produce a combined pricate key / certificate pair in a single file suffixed .pem. Ocean FTP Server can take any known format of RSA base64 encoded private keys and certificates. It then loads in the pair and checks the integrity to ensure that they match each other. Once the pair have been successfully checked, they are copied to the 'certs' folder in the .key and .crt format for later use. If the files have different names (e.g. cert2.key / bobscert.crt) then the key is renamed to match the certificate (i.e. bobscert.key / bobscert.crt). You can also specify an entirely new name for both to be renamed to.