Listener Encryption Settings (SSL)

How to get here

The following settings apply only to FTP listeners.  For information about encryption settings for SSH listeners, see Listener Encryption Settings (SSH).

• SSL type (Clear Only enabled by default). Select the type of SSL connection to attempt when a request comes in to the current listener.
  • Clear only. No SSL connection is allowed.
  • SSL enabled. An SSL connection is made after the client connects and issues the appropriate command. If the SSL command is not issued and you are not forcing SSL, the connection is made as a standard FTP connection.
  • Implicit SSL. An SSL connection is made immediately upon connection. With Implicit SSL, it is impossible for a non-SSL connection to be made on this listener. The default port for Implicit SSL listeners is 990.
• SSL certificate. Displays the SSL certificate currently applied to the current listener. This is the SSL certificate that the server sends to identify itself to client that connect to this listener. To select an SSL certificate, click Select.

  Note: If you are using a chained certificate (usually imported from a Certificate Authority), you should enter the primary and secondary CA certificates as Trusted Authorities. This will ensure that WS_FTP Server recognizes the certificate chain.

• Request client certificate. If selected, the listener will request an SSL client certificate before allowing the user to authenticate. In order for the client to authenticate, the client certificate must be signed by a certificate in the Trusted Authorities list.
• SSL security level. Select the versions of SSL and TLS that you want to allow clients to use to connect.
  • TLS only (more secure). Select this option to require clients to negotiate SSL connections using TLS version 1.0 or higher. This option provides the greatest security, but may cause some clients to fail to connect.
  • Enable TLS and SSL versions 1, 2 and 3 (selected by default). Select this option to allow clients to connect using any version of SSL or TLS. This option works with most clients, but does not protect the server from security vulnerabilities in older versions of SSL.
• Trusted Authorities. This list contains a list of certificates which the server trusts to sign client certificates. When Request client certificate is enabled and a client attempts an SSL connection, the server prompts the client for a client certificate. The server then checks to see if the client certificate is signed by any of the certificates in the trusted authorities list.  If not, the connection is terminated.
  • To add a certificate to this list, click Add.
  • To remove a certificate from this list, click Remove.