Transport Layer Security (TLS)

Description

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains substantially the same. The term "TLS" as used here applies to both protocols unless clarified by context.

The TLS protocol(s) allow applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications privacy over the Internet using cryptography. Typically, only the server is authenticated (i.e., its identity is ensured) while the client remains unauthenticated; this means that the end user (be that a person, or an application such as a web browser), can be sure of whom they are "talking" to. The next level of security - both ends of the "conversation" being sure of who they are "talking" to - is known as mutual authentication. Mutual authentication requires public key infrastructure (PKI) deployment to clients.

TLS involves three basic phases:

1. Peer negotiation for algorithm support
   
2. Public key encryption-based key exchange and certificate-based authentication
   
3. Symmetric cipher-based traffic encryption

Implicit vs Explicit

Please see this page for more information on the differences between implicit and explicit TLS. wzdfptd supports implicit TLS as well as two modes of explicit TLS. Both implicit TLS and "forced" explicit TLS modes make TLS compulsory for all users connecting to the server. Even in the unforced explicit TLS mode, individual users can be forced to use TLS on a per-user basis by use of the TLS and TLS_DATA flags.

wzdftpd Implementation

You can choose between OpenSSL and GnuTLS when compiling wzdftpd from source. OpenSSL is the most widely known (and used) implementation of transport layer security (TLS). By default, GnuTLS will be used on Linux/BSD in preference to OpenSSL whereas official Windows wzdftpd binaries are always compiled using OpenSSL.

To enable TLS support in wzdftpd, make sure the following values are included under [GLOBAL] in your main configuration file:

tls_certificate = \path\to\public.cert
tls_certificate_key = \path\to\private.key
tls_mode = implicit
tls_cipher_list = DHE-RSA-AES256-SHA

For more information on these configuration options, refer to the old Mediawiki documentation.

TLS and Active Mode Data Transfers

The use of TLS encryption may prevent active mode data transfers from working as expected when the client is behind a NAT router.

RFC 2417

Describes a mechanism for secure authentication based on SSL/TLS (RFC 2246) and the FTP Security Extensions (RFC 2228), modeled after TLS for SMTP (RFC 2487). Uses response code 522 (originally introduced in RFC 2428).

See the RFC Standards page for further information and assistance regarding the RFC standards wzdftpd complies with.

Links

• Wikipedia entry for Transport Layer Security (TLS)
• OpenSSL Project
• RFC 2417 - Securing FTP with TLS