This is an old revision of the document!
Transport Layer Security
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security over the Internet. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties.1
- TLS/SSL Server Certificates
- TLS/SSL Client Certificates
- Supported Cryptographic Protocols and Cipher Suites
Advertisement
TLS/SSL Server Certificates
Much like HTTPS, but unlike SSH, FTPS and WebDAVS servers must provide a public key certificate. This certificate must be signed by a certificate authority.
If it is not, WinSCP will generate a warning stating that the certificate is not valid. Whether or not to trust such certificate is your choice. If you are connecting within a company network, you might feel that all the network users are on the same side and spoofing attacks are unlikely, so you might choose to trust the certificate without checking it. If you are connecting across a hostile network (such as the Internet), you should check with your system administrator, perhaps by telephone or in person.
Learn also how to accept certificate automatically in script.
TLS/SSL Client Certificates
The FTPS and WebDAVS servers may optionally require user to authenticate with a client certificate.
The client certificate typically needs to be signed by a certificate authority trusted by the server.
Supported client certificate file formats are:
- Personal Information Exchange – PCKS #12 (
.pfx
or.p12
); - Base64 encoded PEM X.509 (
.pem
or.key
), either:- containing both private key and the certificate;
- containing a private key only, with certificate in a separate file. The certificate needs to have the same base name as the private key, with
.crt
or.cer
extensions and be in the Base64 encoded PEM X.509 format or binary DER format.
Supported Cryptographic Protocols and Cipher Suites
WinSCP supports TLS 1.0–1.3. The TLS 1.0 and 1.1 are disabled by default, in the latest beta version, to protect you from their known serious vulnerabilities. Obsolete SSL of any version is not supported.
Advertisement
See list of supported cipher suites.
- The text is partially copied from Wikipedia article on Transport Layer Security. The text is licensed under GNU Free Documentation License.Back