Configuring implicit SSL

Implicit SSL settings apply only to FTP listeners and are typically a listener on port 990. Use the following settings to configure Implicit SSL settings.

To configure Implicit SSL:

  1. From the top menu, select Server > Listeners. The Listeners page opens.
  2. Click the IP address of the listener you want to open. The Edit Listener page opens.

    Note: Since SSL can be configured only on FTP listeners, make sure that you select a listener that displays FTP in the Server type column.

  3. Under Encryption Options, click Edit SSL Settings. The Listener Encryption Settings page opens.
  4. Set the appropriate options.
    • SSL type (Clear Only enabled by default). Select the type of SSL connection to attempt when a request comes in to the current listener.
      • Clear only. No SSL connection is allowed.
      • SSL enabled. An SSL connection is made after the client connects and issues the appropriate command. If the SSL command is not issued and you are not forcing SSL, the connection is made as a standard FTP connection.
      • Implicit SSL. An SSL connection is made immediately upon connection. With Implicit SSL, it is impossible for a non-SSL connection to be made on this listener. The default port for Implicit SSL listeners is 990.
    • SSL certificate. Displays the SSL certificate currently applied to the current listener. This is the SSL certificate that the server sends to identify itself to client that connect to this listener. To select an SSL certificate, click Select.

      Note: If you are using a chained certificate (usually imported from a Certificate Authority), you should enter the primary and secondary CA certificates as Trusted Authorities. This will ensure that WS_FTP Server recognizes the certificate chain.

    • Request client certificate. If selected, the listener will request an SSL client certificate before allowing the user to authenticate. In order for the client to authenticate, the client certificate must be signed by a certificate in the Trusted Authorities list.
    • SSL security level. Select the versions of SSL and TLS that you want to allow clients to use to connect.
      • TLS only (more secure). Select this option to require clients to negotiate SSL connections using TLS version 1.0 or higher. This option provides the greatest security, but may cause some clients to fail to connect.
      • Enable TLS and SSL versions 1, 2 and 3 (selected by default). Select this option to allow clients to connect using any version of SSL or TLS. This option works with most clients, but does not protect the server from security vulnerabilities in older versions of SSL.
    • Trusted Authorities. This list contains a list of certificates which the server trusts to sign client certificates. When Request client certificate is enabled and a client attempts an SSL connection, the server prompts the client for a client certificate. The server then checks to see if the client certificate is signed by any of the certificates in the trusted authorities list.  If not, the connection is terminated.
      • To add a certificate to this list, click Add.
      • To remove a certificate from this list, click Remove.
  5. Click Save. The Edit Listener page opens.
  6. In the Port box, enter 990. For more information, see Setting Up Listeners.
  7. Click Save.