"Fossies" - the Fresh Open Source Software Archive 
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) XML source code syntax highlighting (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
1 <?xml version='1.0' encoding='UTF-8' ?>
2 <!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
3 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
4 <!-- $LastChangedRevision: 420990 $ -->
5
6 <!--
7 Licensed to the Apache Software Foundation (ASF) under one or more
8 contributor license agreements. See the NOTICE file distributed with
9 this work for additional information regarding copyright ownership.
10 The ASF licenses this file to You under the Apache License, Version 2.0
11 (the "License"); you may not use this file except in compliance with
12 the License. You may obtain a copy of the License at
13
14 http://www.apache.org/licenses/LICENSE-2.0
15
16 Unless required by applicable law or agreed to in writing, software
17 distributed under the License is distributed on an "AS IS" BASIS,
18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 See the License for the specific language governing permissions and
20 limitations under the License.
21 -->
22
23 <!--
24 Original Copyright (c) 2005 Covalent Technologies
25
26 FTP Protocol module for Apache 2.0
27 -->
28
29 <manualpage metafile="ftp_tls.xml.meta">
30 <parentdocument href="./">FTP Protocol Support</parentdocument>
31
32 <title>Securing FTP With TLS</title>
33
34 <summary>
35 <p>The support for FTP over TLS allows you to run FTP connections
36 securely through TLS encryption and certificate authentication
37 support. Apache mod_ftp supports RFC-compliant TLS support through
38 Apache's own mod_ssl.</p>
39 </summary>
40
41 <section id="introduction">
42
43 <title>Introduction</title>
44
45 <p>As the FTP protocol was developed long before security through
46 encryption became an important consideration, it was originally
47 designed as a clear-text protocol. Both the command channel and
48 the data channel were, and in many cases remain, unencrypted.
49 Today, this is not desirable since the users' logins and passwords
50 travel in the clear across the network, and could be readily
51 detected by a malicious intruder. Conversely, a user would not
52 easily be able to detect a spoofed server address because the
53 server could not identify itself by certificate.</p>
54
55 <p>To address these limitations, the FTP over TLS protocol was
56 developed and became an Internet Standard described in <a
57 href="http://www.rfc-archive.org/getrfc.php?rfc=4217">RFC
58 4217</a>. The FTP over TLS protocol uses TLS connection upgrade,
59 where the client and server negotiate their features and
60 capabilities before upgrading to an encrypted connection. </p>
61 </section>
62
63 <seealso><a href="http://www.rfc-archive.org/getrfc.php?rfc=4217">RFC 4217
64 — Securing FTP with TLS</a></seealso>
65 <seealso><a href="http://www.rfc-archive.org/getrfc.php?rfc=2228">RFC 2228
66 — FTP Security Extensions</a></seealso>
67 <seealso><a href="http://www.rfc-archive.org/getrfc.php?rfc=2246">RFC 2246
68 — The TLS Protocol Version 1.0</a></seealso>
69
70
71 <section id="protocoldescription">
72
73 <title>Protocol Description</title>
74
75 <p>The mod_ftp module for the Apache HTTP Server aims to implement
76 FTP over TLS as defined by <a
77 href="http://www.rfc-archive.org/getrfc.php?rfc=4217">RFC
78 4217</a>. The RFC describes how the FTP client and server can
79 discover each other's security capabilities and how a client can
80 upgrade an FTP control channel to use TLS protection. This
81 connection upgrade behavior, similar to the SMTP over TLS standard
82 described in <a
83 href="http://www.rfc-archive.org/getrfc.php?rfc=3207">RFC
84 3207</a>, allows an FTP over TLS server to run on the same port as
85 a plaintext FTP server, and offer both plaintext and protected
86 services simultaneously.</p>
87
88 <!-- Requiring that TLS be used -->
89 <p>The FTP protocol specification dictates that it is up to the
90 client to specify session attributes like the protection level.
91 The server cannot require that the client use TLS, but it can
92 refuse to accept any command from the client until it sends an
93 <code>AUTH TLS</code> FTP command to upgrade the control channel
94 to TLS protection. See the <directive
95 module="mod_ftp">FTPOptions</directive>, specifically the
96 <code>RequireSSL</code> option, to make the server refuse any FTP
97 command until a TLS session is established.</p>
98
99 <!-- ###FIXME### Investigate existing (and desired) data channel
100 protection level and write this paragraph.
101 Note: the FTP Server side is always the 'Server' in TLS context,
102 regardless of the direction of the data channel connection.
103 <p>Data Channel Protection</p>
104 -->
105
106 <!-- Certificates and Authentication -->
107 <p>The use of TLS allows both the server and client to identify
108 themselves using standard SSL Certificates. Generally, a
109 certificate will be in use on the server, but the server can be
110 configured to request client-side certificates for
111 authentication. RFC 4217 requires that the client send a
112 <code>USER</code> command even if a certificate is presented, but
113 the server may forego requiring a password from the client. </p>
114
115 <p>Since the FTP over TLS RFC was published only in 2005, several
116 alternative approaches have arisen to secure file transfer
117 connections. Besides the TLS connection upgrade on a normal FTP
118 connection as defined by the RFC, another popular approach is to
119 define a separate FTP control channel listener that can only be
120 accessed over SSL. An SSL handshake has to be completed before
121 even the first FTP protocol exchange can take place. This
122 approach, known as <em>Implicit SSL</em>, is supported by mod_ftp.
123 Finally, some FTP clients and server support file transfer over
124 SSH. This approach is not supported by mod_ftp.</p>
125 </section>
126
127 <section id="ftpovertls">
128
129 <title>FTP over TLS Support</title>
130
131 <p>To implement TLS, mod_ftp uses Apache's
132 <module>mod_ssl</module>. This means that the configuration
133 options for FTP over TLS are not too different from those for
134 HTTPS. In fact, for RFC 4217-based FTP over TLS support, no
135 additional configuration options are necessary above the ones you
136 would use to set up an HTTP over SSL virtual host. Note however
137 that we explicitly turn off <directive
138 module="core">AcceptFilter</directive>. This is necessary because
139 in FTP the server initiates the protocol conversation and not the
140 client.</p>
141
142 <example>
143 LoadModule ftp_module /usr/local/apache2/modules/mod_ftp.so<br/>
144 <br/>
145 Listen 21 ftp<br/>
146 AcceptFilter ftp none<br/>
147 <br/>
148 LogFormat "%u [%a] %r %>s" ftp_command<br/>
149 LogFormat "%{%b %e %H:%M:%S %Y}t %T %a %B %U %M %F %d %W %u %S %Z %Y" ftp_transfer<br/>
150 <br/>
151 <VirtualHost _default_:21><br/>
152 <indent>
153 <br/>
154 FTP On<br/>
155 SSLEngine on<br/>
156 SSLCertificateFile conf/server.crt<br/>
157 SSLCertificateKeyFile conf/server.key<br/>
158 <br/>
159 ErrorLog logs/ftps_error_log<br/>
160 CustomLog logs/ftps_command_log ftp_command<br/>
161 CustomLog logs/ftps_transfer_log ftp_transfer env=do_transfer_log<br/>
162 <br/>
163 </indent>
164 </VirtualHost><br/>
165 </example>
166
167 <note>The above shows the simplest possible configuration of a
168 TLS-enabled FTP virtual host. You should not use this in
169 production unless sufficient authentication and access control is
170 added. </note>
171
172 </section>
173
174 <section id="implicitssl">
175
176 <title>Implicit SSL Support</title>
177
178 <p>The configuration below is similar to the one above, except for
179 the <directive module="ftp">FTPImplicitSSL</directive> and the
180 listening port which is <code>990</code>. The <directive
181 module="core">AcceptFilter</directive> is set to
182 <code>data</code>, since the conversation starts with an SSL
183 handshake from the client.</p>
184
185 <example>
186 LoadModule ftp_module /usr/local/apache2/modules/mod_ftp.so<br/>
187 <br/>
188 Listen 990 ftps<br/>
189 AcceptFilter ftps data<br/>
190 <br/>
191 LogFormat "%u [%a] %r %>s" ftp_command<br/>
192 LogFormat "%{%b %e %H:%M:%S %Y}t %T %a %B %U %M %F %d %W %u %S %Z %Y" ftp_transfer<br/>
193 <br/>
194 <VirtualHost _default_:990><br/>
195 <indent>
196 <br/>
197 FTP On<br/>
198 SSLEngine On<br/>
199 FTPImplicitSSL On<br/>
200 <br/>
201 SSLCertificateFile ssl/server.crt<br/>
202 SSLCertificateKeyFile ssl/server.key<br/>
203 <br/>
204 ErrorLog logs/ftps_error.log<br/>
205 <br/>
206 CustomLog logs/ftps_command.log ftp_command<br/>
207 CustomLog logs/ftps_transfer.log ftp_transfer env=do_transfer_log<br/>
208 <br/>
209 DocumentRoot "/usr/local/apache2/htdocs"<br/>
210 <br/>
211 </indent>
212 </VirtualHost><br/>
213 </example>
214
215 <note>The above shows the simplest possible configuration of a
216 TLS-enabled FTP virtual host. You should not use this in
217 production unless sufficient authentication and access control is
218 added. </note>
219
220 </section>
221 <!--
222 <section id="clientauth">
223
224 <title>Client-side Certificate Authentication</title>
225
226 </section>
227 -->
228
229 <section id="clientsupport">
230
231 <title>Client Support for FTP over TLS</title>
232
233 <p>An ever-growing number of FTP clients implements FTP over
234 TLS, and listing them all is outside the scope of this document.
235 A list can be found on <a
236 href="http://en.wikipedia.org/List_of_FTP_clients">Wikipedia</a>.
237 When selecting a client, do keep in mind that the <em>FTP over
238 SSH</em> protocol (sometimes also called <em>SFTP</em>) is not
239 supported by <module>mod_ftp</module>.</p>
240
241 </section>
242
243 </manualpage>