Differences
This shows you the differences between the selected revisions of the page.
| ui_login_tls 2014-09-26 | ui_login_tls 2025-06-16 (current) | ||
| Line 1: | Line 1: | ||
| - | ====== TLS/SSL Page (Advanced Site Settings Dialog) ====== | + | ====== The TLS/SSL Page (Advanced Site Settings Dialog) ====== |
| - | The //TLS/SSL page// on the [[ui_login_advanced|Advanced Site Settings dialog]] allows you to configure options of TLS/SSL protocols for [[ftps|FTPS]] and [[webdav|WebDAVS]]. | + | The //%%TLS/SSL%% page// on the [[ui_login_advanced|Advanced Site Settings dialog]] allows you to configure options of [[tls|TLS protocol]] for [[ftps|FTPS]], [[webdav|WebDAVS]] and [[s3|S3]]. |
| &screenshotpict(login_tls) | &screenshotpict(login_tls) | ||
| - | To reveal this page you need to select FTP or WebDAV file protocol and enable //Encryption// on [[ui_login|Login dialog]]. | + | To reveal this page you need to select FTP, WebDAV or S3 file protocol and enable //Encryption// on [[ui_login|Login dialog]]. |
| - | ===== TLS/SSL Options ===== | + | &toc_title_page_sections |
| - | Using //Minimum// and //Maximum TLS/SSL version// selections, you can restrict what versions of TLS/SSL is WinSCP allowed to use. | + | ===== TLS Options ===== |
| - | You may want to restrict minimum TLS/SSL version, particularly in order to prevent WinSCP from using old versions of TLS/SSL protocols that suffer form known vulnerabilities (SSL 2.0 in particular, but also SSL 3.0 and TLS 1.0). | + | Using //Minimum// and //Maximum %%TLS%% version// selections, you can configure what versions of TLS is WinSCP allowed to use. |
| - | You may want to restrict maximum TLS/SSL version, when there is an interoperability problem with your FTPS/WebDAVS server. Particularly TLS 1.1 and TLS 1.2 are new and some servers do not implement them correctly. | + | The %%TLS%% 1.0 and 1.1 are disabled by default, to protect you from their known serious vulnerabilities. Enable them only, if the server does not support newer versions.((Enabling %%TLS%% 1.0 a 1.1 has an additional side effect of lowering OpenSSL security level. That allows use of insecure keys even with higher protocol versions.)) You may want to restrict minimum %%TLS%% version further, in order to prevent WinSCP from using versions of %%TLS%% protocol that may become weak or insecure in the future. The insecure SSL protocol of any version is not supported. |
| + | |||
| + | You may want to restrict maximum %%TLS%% version, when there is an interoperability problem with your server. Particularly %%TLS%% 1.3 is new and some servers do not implement it correctly. | ||
| + | |||
| + | Uncheck //Reuse %%TLS%% session ID for data connections//, when there is an interoperability problem with your FTPS server when reusing the %%TLS%% session ID. The option is available for FTP protocol only. | ||
| + | |||
| + | ===== [[authentication]] Authentication parameters ===== | ||
| + | |||
| + | If the server requires an authentication with [[tls#client_certificate|a client certificate]], specify a path to one in the //Client certificate file// box. | ||
| - | Uncheck //Reuse TLS/SSL session ID for data connections//, when there is an interoperability problem with your FTPS server when reusing the TLS/SSL session ID. The option is available for FTP protocol only. | ||
| ===== Further Reading ===== | ===== Further Reading ===== | ||
| Read more about [[ui_login|Login dialog]] and [[ui_login_advanced|Advanced Site Settings dialog]]. | Read more about [[ui_login|Login dialog]] and [[ui_login_advanced|Advanced Site Settings dialog]]. | ||