Securing FTP With TLS

Available Languages: en

The support for FTP over TLS allows you to run FTP connections securely through TLS encryption and certificate authentication support. Apache mod_ftp supports RFC-compliant TLS support through Apache's own mod_ssl.

Introduction

As the FTP protocol was developed long before security through encryption became an important consideration, it was originally designed as a clear-text protocol. Both the command channel and the data channel were, and in many cases remain, unencrypted. Today, this is not desirable since the users' logins and passwords travel in the clear across the network, and could be readily detected by a malicious intruder. Conversely, a user would not easily be able to detect a spoofed server address because the server could not identify itself by certificate.

To address these limitations, the FTP over TLS protocol was developed and became an Internet Standard described in RFC 4217. The FTP over TLS protocol uses TLS connection upgrade, where the client and server negotiate their features and capabilities before upgrading to an encrypted connection.

Protocol Description

The mod_ftp module for the Apache HTTP Server aims to implement FTP over TLS as defined by RFC 4217. The RFC describes how the FTP client and server can discover each other's security capabilities and how a client can upgrade an FTP control channel to use TLS protection. This connection upgrade behavior, similar to the SMTP over TLS standard described in RFC 3207, allows an FTP over TLS server to run on the same port as a plaintext FTP server, and offer both plaintext and protected services simultaneously.

The FTP protocol specification dictates that it is up to the client to specify session attributes like the protection level. The server cannot require that the client use TLS, but it can refuse to accept any command from the client until it sends an AUTH TLS FTP command to upgrade the control channel to TLS protection. See the FTPOptions, specifically the RequireSSL option, to make the server refuse any FTP command until a TLS session is established.

The use of TLS allows both the server and client to identify themselves using standard SSL Certificates. Generally, a certificate will be in use on the server, but the server can be configured to request client-side certificates for authentication. RFC 4217 requires that the client send a USER command even if a certificate is presented, but the server may forego requiring a password from the client.

Since the FTP over TLS RFC was published only in 2005, several alternative approaches have arisen to secure file transfer connections. Besides the TLS connection upgrade on a normal FTP connection as defined by the RFC, another popular approach is to define a separate FTP control channel listener that can only be accessed over SSL. An SSL handshake has to be completed before even the first FTP protocol exchange can take place. This approach, known as Implicit SSL, is supported by mod_ftp. Finally, some FTP clients and server support file transfer over SSH. This approach is not supported by mod_ftp.

FTP over TLS Support

To implement TLS, mod_ftp uses Apache's mod_ssl. This means that the configuration options for FTP over TLS are not too different from those for HTTPS. In fact, for RFC 4217-based FTP over TLS support, no additional configuration options are necessary above the ones you would use to set up an HTTP over SSL virtual host. Note however that we explicitly turn off AcceptFilter. This is necessary because in FTP the server initiates the protocol conversation and not the client.

LoadModule ftp_module /usr/local/apache2/modules/mod_ftp.so Listen 21 ftp AcceptFilter ftp none LogFormat "%u [%a] %r %>s" ftp_command LogFormat "%{%b %e %H:%M:%S %Y}t %T %a %B %U %M %F %d %W %u %S %Z %Y" ftp_transfer <VirtualHost _default_:21> FTP On SSLEngine on SSLCertificateFile conf/server.crt SSLCertificateKeyFile conf/server.key ErrorLog logs/ftps_error_log CustomLog logs/ftps_command_log ftp_command CustomLog logs/ftps_transfer_log ftp_transfer env=do_transfer_log </VirtualHost>

The above shows the simplest possible configuration of a TLS-enabled FTP virtual host. You should not use this in production unless sufficient authentication and access control is added.

Implicit SSL Support

The configuration below is similar to the one above, except for the FTPImplicitSSL and the listening port which is 990. The AcceptFilter is set to data, since the conversation starts with an SSL handshake from the client.

LoadModule ftp_module /usr/local/apache2/modules/mod_ftp.so Listen 990 ftps AcceptFilter ftps data LogFormat "%u [%a] %r %>s" ftp_command LogFormat "%{%b %e %H:%M:%S %Y}t %T %a %B %U %M %F %d %W %u %S %Z %Y" ftp_transfer <VirtualHost _default_:990> FTP On SSLEngine On FTPImplicitSSL On SSLCertificateFile ssl/server.crt SSLCertificateKeyFile ssl/server.key ErrorLog logs/ftps_error.log CustomLog logs/ftps_command.log ftp_command CustomLog logs/ftps_transfer.log ftp_transfer env=do_transfer_log DocumentRoot "/usr/local/apache2/htdocs" </VirtualHost>

The above shows the simplest possible configuration of a TLS-enabled FTP virtual host. You should not use this in production unless sufficient authentication and access control is added.

Client Support for FTP over TLS

An ever-growing number of FTP clients implements FTP over TLS, and listing them all is outside the scope of this document. A list can be found on Wikipedia. When selecting a client, do keep in mind that the FTP over SSH protocol (sometimes also called SFTP) is not supported by mod_ftp.