FTPS is an enhancement to standard FTP that uses standard FTP commands (and protocol) over secure sockets. FTPS adds SSL security in both the protocol and data channels. FTPS is also known as FTP-SSL and FTP-over-SSL. You might also see the term SSL used in conjunction with TLS. SSL has been merged with other protocols and authentication methods into a new protocol known as Transport Layer Security (TLS). EFT Server employs SSL/TLS to perform FTPS to keep your data secure. Refer to EFT Server Specifications for details of the OpenSSL versions used in EFT Server.
Secure Socket Layer (SSL) is a protocol for encrypting and decrypting data across a secure connection from a client to a server with SSL capabilities. EFT Server is responsible for sending the client a certificate and a public key for encryption. If the client trusts EFT Server's certificate, an SSL connection can be established. All data passing from one side to the other will be encrypted. Only the client and EFT Server will be able to decrypt the data.
EFT Server supports SSL for client and server authentication, message integrity, and confidentiality. You can configure EFT Server's security features to verify users' identities, allows users to verify your identity, and to encrypt file transfers. The key to understanding how SSL works is to understand the elements that take part in the process.
Client: The client needs to be an FTP client with SSL capabilities.
Certificate: Certificates are digital identification documents that allow both servers and clients to authenticate each other. A certificate file has a .crt extension. Server certificates contain information about your company and the organization that issued the certificate (such as Verisign or Thawte) while client certificates contain information about the user and the organization that signed the certificate. You can choose to either trust or distrust a certificate. In some cases, the client's certificate must be signed by EFT Server's certificate to open an SSL connection.
Session Key: The client and EFT Server use the session key to encrypt data. It is created by the client via EFT Server’s public key.
Public Key: The client encrypts a session key with EFT Server’s public key. It does not exist as a file, but is produced when a certificate and private key are created.
Private Key: EFT Server's private key decrypts the client's session. The private key has a .key extension and is part of the public-private key pair.
Certificate Signing Request: A Certificate Signing Request (CSR) is a PKCS10 request, which is an unsigned copy of your certificate. A certificate signing request is generated each time a certificate is created. A certificate signing request has a .csr extension. This file is used when you need to have your certificate signed. Once the .csr file is signed, a new certificate is made and replaces the unsigned certificate.
SSL must first be enabled on the Server and Site, and then can be enabled in the Settings Template and/or for each user. EFT Server provides administrators the ability to specify the symmetric key cipher(s) and the ordering of those ciphers for establishing SSL sessions. EFT Server validates inbound SSL sessions, and allows or denies connections based on specified or approved ciphers.
EFT Server supports two levels of authentication with SSL:
High - EFT Server is configured so that it contains a certificate, but does not require a certificate from the FTP client.
Highest - EFT Server is configured so that it provides a certificate and also requests a certificate from the client. EFT Server compares the client certificate to a list contained in its Trusted Certificates database. EFT Server either accepts or rejects the connection based upon a match.