|
How to use FTPS (introduction)
|
|
The basic elements of configuring an FTPS connection are:
· Server Validation: Server validation is an important issue in FTPS. By default an
attempt will be made to validation the server using the root certificates registered with
the operating system. Other validation methods may be selected by setting the ServerValidation property. If the default validation method is used then it may be
necessary to set the ServerCommonName property. This property should match the
name on the certificate that the server will present to the FTP client. If it does not,
then validation will fail. By default the ServerCommonName is assumed to be the
same as the ServerAddress property, which is often acceptable. More information
regarding this issue is available in the topic Hostname Checking.
· Client Authentication: Some
servers require clients to authenticate
themselves using a certificate. The client certificate is set through the ClientCertificate
property.
Certificates and their associated private keys may be loaded from CER, PEM, and
PFX files using static methods in the SSLFTPCertificate class.
Validation of Server Certificates
|
ServerValidationType
|
Description
|
|
None
|
No validation of server certificates is performed.
|
|
Automatic
|
Operating System services are used to validate certificates and
the name on the certificate is checked to make sure that it
|
|
AutomaticNoNameCheck
|
Operating System services are used to validate certificates but
no name checking is performed.
|
Usage of server validation is strongly recommended since it virtually eliminates the possibility
of communicating with the wrong server. While developing code, however, the programmer
might like to postpone any possible certificate validation issues by disabling server validation
by using SecureFTPServerValidationType.None.
In SecureFTPServerValidationType.Automatic
server validation, the certificate is first checked
to see if was issued by one of the CAs whose certificates are installed on the system or,
alternatively, if the certificate itself is installed. If so, and the CommonName (CN) value on the
certificate matches that of the ServerCommonName property (if set) or the name of the
remote host (if ServerCommonName is not set).
Loading Client Certificates
In addition to the standard user-name/password authentication, some FTPS servers require
clients to present certificates of their own. SecureFTPConnection supports client certificates.
To utilize this functionality, the SecureFTPConnection.ClientCertificate property must be
initialized with a certificate that the server will recognize and a matching private key to be used
for encryption of data.
Certificates are loaded using the following methods of SSLFTPCertificate:
|
Method Name
|
Certificate Format
|
|
|
CER
|
|
|
PEM
|
|
|
PFX
|
In addition, a certificate must be associated with the private key of the certificate. This is done
using the AssociatePrivateKey method which reads private key files of the PVK format.
Developers often experience problems when trying to load a private key from a Windows
Service. The topic, Private Key Access Problems, discusses this issue.
Cipher Suites
For a client and a server to be able to communicate they must be able to agree on a common
cipher suite. A set of cipher suites are enabled by default and in most cases the server will
support one of these, meaning that no action is required by the developer. There may be
cases where the server doesn't support any of the enabled cipher-suites. If this happens then
the library will throw an exception when authentication takes place. It will then be necessary to
set the CipherSuites property. By default the property is set such that all ciphers of 128 bits
and over are enabled and all ciphers less than 128 bits are disabled. Some servers –
particular older servers adhering to the now defunct US export rules – may only support 40 bit
encryption. Use of such ciphers is not recommended as they offer relatively poor security. The
topic, Selecting Ciphers, offers advice on selection of ciphers.