Differences
This shows you the differences between the selected revisions of the page.
ftps 2009-03-04 | ftps 2024-09-18 (current) | ||
Line 1: | Line 1: | ||
- | ====== Understanding FTPS ====== | + | ====== FTPS ====== |
- | FTPS (also known as FTP Secure and FTP-SSL) is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols. ((The text is copy of Wikipedia article on [[http://en.wikipedia.org/wiki/FTPS|FTPS]]. The text is licensed under [[http://en.wikipedia.org/wiki/Wikipedia:Text_of_the_GNU_Free_Documentation_License|GNU Free Documentation License]].)) | + | FTPS (also known as FTP Secure and %%FTP%%-%%SSL%%) is an extension to the commonly used File Transfer Protocol (%%FTP%%) that adds support for the [[tls|Transport Layer Security]] (TLS) cryptographic protocol (previously known as the Secure Sockets Layer – SSL).((&wikipedia_ref(FTPS|FTPS))) |
- | ===== Methods of Invoking ===== | + | ===== [[methods]] Methods of Invoking ===== |
- | Two separate methods were developed to invoke client security for use with FTP clients: //Explicit// or //Implicit//. The former method is a legacy compatible implementation where FTPS aware clients can invoke security with an FTPS aware server without breaking overall FTP functionality with non-FTPS aware clients. The later method is incompatible method that requires clients to be FTPS aware. WinSCP supports both methods. | + | Two separate methods were developed to invoke client security for use with %%FTP%% clients: //Explicit// or //Implicit//. The former method is a legacy compatible implementation where %%FTPS%% aware clients can invoke security with an FTPS aware server without breaking overall %%FTP%% functionality with non-%%FTPS%% aware clients. The latter method is an incompatible method that requires clients to be %%FTPS%% aware. WinSCP supports both methods. |
==== Explicit ==== | ==== Explicit ==== | ||
- | In explicit mode, a FTPS client must "explicitly request" security from a FTPS server and then step-up to a mutually agreed encryption method. If a client does not request security, the FTPS server can either allow the client to continue insecure or refuse/limit the connection. | + | In explicit mode, a %%FTPS%% client must "explicitly request" security from a %%FTPS%% server and then step-up to a mutually agreed encryption method. If a client does not request security, the %%FTPS%% server can either allow the client to continue insecure or refuse/limit the connection. |
- | In Explicit Mode, the client has full control over what areas of the connection are to be encrypted. Enabling and disabling of encryption for the FTPS control channel and FTPS data channel can occur at any time. WinSCP though requests encryption for both control and data channel unconditionally during whole session. | + | In Explicit Mode, the client has full control over what areas of the connection are to be encrypted. Enabling and disabling of encryption for the %%FTPS%% control channel and %%FTPS%% data channel can occur at any time. WinSCP though requests encryption for both control and data channel unconditionally during whole session. |
==== Implicit ==== | ==== Implicit ==== | ||
- | Negotiation is not allowed with implicit FTPS configurations. A client is immediately expected to challenge the FTPS server with a connection ecrypted using TLS/SSL. If it does not, the server should drop the connection. | + | Negotiation is not allowed with implicit %%FTPS%% configurations. A client is immediately expected to challenge the %%FTPS%% server with a connection encrypted using TLS/SSL. If it does not, the server should drop the connection. |
- | In order to maintain compatibility with existing non-TLS/SSL aware FTP clients, implicit FTPS was expected to listen on the IANA Well Known Port 990/TCP for the FTPS control channel and 989/TCP for the FTPS data channel. This allowed administrators to retain legacy compatible services on the original 21/TCP FTP control channel. | + | In order to maintain compatibility with existing non-%%TLS%%/%%SSL%% aware %%FTP%% clients, implicit %%FTPS%% was expected to listen on the IANA Well Known Port 990/TCP for the %%FTPS%% control channel and 989/%%TCP%% for the %%FTPS%% data channel. This allowed administrators to retain legacy compatible services on the original 21/%%TCP%% %%FTP%% control channel. |
- | In Implicit Mode, the entire FTPS session (both control and data channels) is unconditionally encrypted. | + | In Implicit Mode, the entire %%FTPS%% session (both control and data channels) is unconditionally encrypted. |
- | ===== SSL Certificates ===== | + | ===== [[certificate]] TLS/SSL Certificates ===== |
- | Much like HTTPS, but unlike [[ssh|SSH]], FTPS servers must provide a public key certificate. This certificate must be signed by a certificate authority. | + | Learn about TLS/SSL [[tls#certificate|server certificates]] and [[tls#client_certificate|client certificates]]. |
- | + | ||
- | If it is not, WinSCP will generate a warning stating that the certificate is not valid. Whether or not to trust such certificate is your choice. If you are connecting within a company network, you might feel that all the network users are on the same side and spoofing attacks are unlikely, so you might choose to trust the certificate without checking it. If you are connecting across a hostile network (such as the Internet), you should check with your system administrator, perhaps by telephone or in person. | + | |