...
In this case, the listener should not use implicit SSL (the default value):
No Format |
---|
config.listeners.default.<nio-listener name="default" implicit-ssl="false"> |
Implicit Security
If you want to use implicit SSL connection, that is, SSL is always enabled on the control socket. The first thing you need to do is to tell the listener to use implicit SSL mode:
No Format |
---|
config.listeners.default.<nio-listener name="default" implicit-ssl="true"> |
If you set the listener to use implicit security, enabling implicit security for the data connection should be considered.
Data connection security
Implicit secure socket listener does not ensure encrypted data transfer. To use SSL/TLS in data connection, client either has to send "PROT P" command . You also need to set the SSL configuration parameters as described below. Encrypted data transfer is supported for FTP passive (PASV) mode only.
Using the default SSL implementation
This describes how to use the default SSL implementation as shipped with FtpServer. Note that if needed, a custom implementation can be written by implementing the org.apache.ftpserver.ssl.Ssl
interface.
Control socket security
config.listeners.<listener name>.ssl.class | Must be set to |
Key store configuration |
|
---|---|
config.listeners.<listener name>.ssl.keystore-file | Key store file location. The default path is |
config.listeners.<listener name>.ssl.keystore-password | Key store password. Required, no default value provided. |
config.listeners.<listener name>.ssl.keystore-type | Key store type. The default value is |
config.listeners.<listener name>.ssl.keystore-algorithm | Key store algorithm. The default value is |
config.listeners.<listener name>.ssl.key-password | Key password. Required, no default value provided. |
Trust store configuration |
|
config.listeners.<listener name>.ssl.truststore-file | Trust store file location. The default path is to use the key store, setting this value allows using a separate key store |
config.listeners.<listener name>.ssl.truststore-password | Trust store password. No default value provided. Only used if truststore-file is set. |
config.listeners.<listener name>.ssl.truststore-type | Trust store type. The default value is |
config.listeners.<listener name>.ssl.truststore-algorithm | Trust store algorithm. The default value is |
TLS/SSL protocol configuration |
|
config.listeners.<listener name>.ssl.enabled-cipher-suites | A comma seperated list of cipher suites to enable for this connection. The exact cipher suites that can be used depends on the Java version used, here are the names for Sun's JSSE provider. |
config.listeners.<listener name>.ssl.ssl-protocol | SSL protocol. Supported values are |
config.listeners.<listener name>.ssl.client-authentication | Client authentication. The default value is |
Data socket security
Data socket configuration supports the same options at the control socket, as described above. However, they are placed in the data-connection parent, for example:
...
or implicit security must be enabled for the data connection.
No Format |
---|
<data-connection implicit-ssl="true">
|
If no explicit configuration for SSL keystores and truststores is provided for the data connection, it will be inherited from the listener. This is the normal configuration.
Different FTP clients behave different with regards to implicit security on the data connection, some assume an SSL enabled socket, while some will always send a "PROT P" command. The following table shows the characteristics of some clients, please report others.
FTP client | Behavior |
---|---|
FileZilla | Sends "PROT P" command automatically in implicit security mode |
DartFTP/PowerTCP | Assumes an SSL enabled data connection, does not send "PROT P" |
Detailed configuration
Full documentation on all provided configuration is available on the Listeners page