Choosing a type of SSL
There are two types of SSL that can be used by a listener.
- . With Implicit SSL, the server listens for connections on a special port (usually 990). When a connection is made, SSL negotiations are handled before any other activity, including authentication. Using this option, it is impossible for a non-SSL connection to be made on the listener, but users must know to connect on the special port.
- (sometimes called Explicit SSL or AUTH SSL). With this option, an SSL connection is made after the client connects and requests an SSL connection. If the SSL command is not issued, the connection continues as a standard FTP connection. SSL enabled connections may occur on any port, but most often port 21 is used (the same port as standard FTP).
The following SSL options can be used to provide increased security for connections.
- . This listener-level option adds a second layer of authentication by requiring users to present an SSL certificate of their own as part of the authentication process. If the certificate is not signed by a certificate in the trusted authorities database, the connection is terminated. This option can be used with Implicit SSL or SSL enabled (Explicit SSL).
- . When selected, this host-level option forces clients to invoke SSL before authenticating. If the client attempts to authenticate before establishing an SSL connection, the server reports an error explaining to the client that SSL is required. This option is only valid with SSL enabled (Explicit SSL).
- . This host-level option forces the server to require a specific cipher strength or higher to secure SSL connections. The server can require 128 and 256-bit cipher strength, or it can allow any SSL connection regardless of cipher strength.
- . When this host-level option is enabled, the server encrypts all of the data sent over the data channel. Enabling this option improves security, but it may also negatively impact the speed of transfers.
- . When this host-level option is enabled, clients can issue the CCC command to revert a secured command channel to unsecured. If cleared, CCC commands fail. Clear this option to prevent users from converting an SSL connection to an unsecured standard FTP connection.
: If users are having difficulty accessing the server over SSL using passive mode and through a firewall, enabling this option may help by sending the IP address and port that the server should use to establish the connection with the client in a clear, unencrypted format.