Differences
This shows you the differences between the selected revisions of the page.
| tls 2014-09-11 | tls 2024-02-15 (current) | ||
| Line 1: | Line 1: | ||
| ====== Transport Layer Security ====== | ====== Transport Layer Security ====== | ||
| - | Transport Layer Security (%%TLS%%) and its predecessor, Secure Sockets Layer (%%SSL%%), are cryptographic protocols designed to provide communication security over the Internet. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. ((The text is copy of Wikipedia article on [[wp>Transport_Layer_Security|Transport Layer Security]]. The text is licensed under [[wp>Wikipedia:Text_of_the_GNU_Free_Documentation_License|GNU Free Documentation License]].)) | + | Transport Layer Security (%%TLS%%) and its predecessor, Secure Sockets Layer (%%SSL%%), are cryptographic protocols designed to provide communication security over the Internet. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. ((&wikipedia_ref(Transport_Layer_Security|Transport Layer Security))) |
| - | ===== [[certificate]] TLS/SSL Certificates ===== | + | ===== [[certificate]] TLS/SSL Server Certificates ===== |
| Much like HTTPS, but unlike [[ssh|SSH]], [[ftps|FTPS]] and [[webdav|WebDAVS]] servers must provide a public key certificate. This certificate must be signed by a certificate authority. | Much like HTTPS, but unlike [[ssh|SSH]], [[ftps|FTPS]] and [[webdav|WebDAVS]] servers must provide a public key certificate. This certificate must be signed by a certificate authority. | ||
| Line 8: | Line 8: | ||
| Learn also how to [[scripting#hostkey|accept certificate automatically in script]]. | Learn also how to [[scripting#hostkey|accept certificate automatically in script]]. | ||
| + | |||
| + | ===== [[client_certificate]] TLS/SSL Client Certificates ===== | ||
| + | The [[ftps|FTPS]] and [[webdav|WebDAVS]] servers may optionally require user to authenticate with [[ui_login_tls#authentication|a client certificate]]. | ||
| + | |||
| + | The client certificate typically needs to be signed by a certificate authority trusted by the server. | ||
| + | |||
| + | Supported client certificate file formats are: | ||
| + | |||
| + | * Personal Information Exchange -- PCKS #12 (''.pfx'' or ''.p12''); | ||
| + | * Base64 encoded PEM X.509 (''.pem'' or ''.key''), either: | ||
| + | * containing both private key and the certificate; | ||
| + | * containing a private key only, with certificate in a separate file. The certificate needs to have the same base name as the private key, with ''.crt'' or ''.cer'' extensions and be in the Base64 encoded PEM X.509 format or binary DER format. | ||
| ===== Supported Cryptographic Protocols and Cipher Suites ===== | ===== Supported Cryptographic Protocols and Cipher Suites ===== | ||
| - | WinSCP supports %%TLS%% and %%SSL%% 3.0 ((%%SSL%% 2.0 has been deprecated.)). | + | WinSCP supports %%TLS%% 1.0--1.3. The %%TLS%% 1.0 and 1.1 are disabled by default, to protect you from their known serious vulnerabilities. Obsolete %%SSL%% of any version is not supported. |
| See list of [[tls_ciphersuites|supported cipher suites]]. | See list of [[tls_ciphersuites|supported cipher suites]]. | ||