Help

Security Settings

HTML Help System
Table of Contents
 

Configuring Security Settings

The security settings page allows the administrator to configure all aspects of Cerberus FTP Server SSL/TLS security. To enable TLS/SSL connections between FTP clients and the server, you need a server certificate and a private key.

Digital Certificate Support

Cerberus FTP Server 4.0 and higher supports RSA, DSA and Elliptical Curve (EC) keys. Support for elliptical curve ciphers requires a special Elliptical Curve Cryptography (ECC) build of Cerberus FTP Server. There is currently no support for EC keys with SFTP, though future support is planned.

There are generally two options for obtaining a digital certificate (with private key).

  1. You can generate your own certificate using the Cerberus Create Cert button.
  2. You can obtain a certificate from a recognized Certificate Authority

Which is more appropriate really depends upon your goals. If you just want to make sure that client and server connections are securely encrypted then a self-signed certificate is all you need. It has the benefit of being easily created through Cerberus and completely free. Just click the Create Cert button, fill in the certificate details in the dialog that appears, press the Ok button and that should be all you have to do. A self-signed certificate will be created and Cerberus will be automatically configured to use it.

If your goal is to make sure that your clients can verify that the server they are connecting to is legitimate and to ensure they don't see any warning messages about being "unable to verify the server" then using a certificate signed by a trusted certificate authority is required. You will have to contact one of the recognized Certificate Authorities such as Comodo, Thawte, Verisign or one of the many other recognized Certificate Authorities and request a server certificate (for a price).

A note about secure connections: Cerberus supports FTP over explicit TLS/SSL encryption. To establish a secure connection you must connect to the server with a client that supports explicit TLS/SSL mode. This will require a dedicated FTP client, not a web browser. No web browsers natively support any type of secure FTP.

About Certificate Authorities

You only need to worry about setting up and validating against a certificate authority if you (the server) want to authenticate the certificates coming from your FTP clients. If you aren't concerned with verifying your clients using certificates then you can safely ignore all of the certificate authority configuration information. Just select the No verification setting (the default).

Server manager's security settings configuration page
Security settings page of the Server Manager

TLS/SSL Security

Cerberus uses the settings here for all secure connections.

Security Options

These are basic TLS/SSL settings applicable to secure client FTP and SSH connections and encrypted HTTPS SOAP messages.

  • Enable Explicit TLS/SSL - This must be enabled to allow secure access to the server. NOTE: A certificate and private key must be available before TLS/SSL encryption will be available.
  • Enable FIPS 140-2 Mode - Engaged the FIPS 140-2 certified encryption module for Cerberus FTP Server. Selecting this option enables encryption using only FIPS 140-2 certified algorithms. Only available in the Professional edition.
  • Ignore SSH Window Size - Some SFTP clients do not correctly request an increase in the SSH channel window size. Enabling this option will allow those connections to continue even after exceeding the available channel window space.
  • Require Encryption on SFTP - Though most clients won't request an unencrypted connection, the SSH protocol does allow it. Check this option to disallow nonencrypted SSH connections.
  • Public Certificate - The full path to your public certificate. The public certificate is exchanged with the client during TLS/SSL encryption and is examined by the client to verify the server. Supported key types include RSA, DSA, and Elliptical Curve keys.
  • Private Key - This is the server's private key. The private key is used to encrypt messages to the client. The client can use the server's public key to decrypt messages encrypted with the server' private key. The private key is not sent to the client. If your public and private key are in the same file then set this path to be the same as the
    NOTE: The public and private key can be in the same file. If your public and private key are in the same file then set this path to the same path as your Public Certificate path. Cerberus understands both DER and PEM encoded certificate formats.
  • Needs Key Password - Check this option if the digital certificate is encrypted.
  • Password - The key password used to decrypt your digital certificate.
  • Create Cert – Cerberus will generate a Self-Signed Certificate that will allow encrypted connections.
  • Verify – Cerberus will attempt to verify that the certificate at the Public and Private key path is recognized and readable with the given password.

Client Certificate Verification

Cerberus FTP Server is able to require clients to verify themselves using digital certificates. When given a Certificate Authority certificate list, Cerberus will verify that the client certificate is signed and valid for the given Certificate Authorities. Cerberus will also make sure the certificate hasn't been revoked if a CRL is specified. This feature is only available in Cerberus FTP Server Professional edition and currently only applies to FTPS and FTPES connections.

  • No Verification - This is the default option. Cerberus will not require nor will it verify digital certificates
  • Verify Certificate - Cerberus will attempt to verify that the certificate presented by the client is signed and valid. It will compare the certificate against the certificate authorities present in the CA Certificates File. Any FTPS connection attempts without a valid certificate will be denied when this option is selected.
  • CA File - A file containing a PEM-encoded list of Certificate Authorities with which to verify client certificates against.
  • CRL File - A file containing a PEM or DER-encoded list of key serial numbers that have been revoked. Note, the CRL must have been signed by the CA certificate.

Additional Client Certificate Verification Options

Cerberus can be configured to provide additional post-verification client certificate checking. Specifically, you can require the certificate common name to match the FTP username. This option is currently only exposed via the config file and can be controlled through the following security tag

<verifyClientCommonName>true</verifyClientCommonName>

Set this option to true to enable certificate common name to FTP username checking.

TLS/SSL Cipher Selection

The ciphers that Cerberus uses during secure connection negotiation can be controlled through a text string in the Cerberus FTP Server settings.xml configuration file. The

<cipherListString>ALL:!LOW:@STRENGTH</cipherListString>

element follows the same cipher string format as the OpenSSL ciphers string.

DSA Certificates and Ephemeral Diffie-Hellman Keys

Cerberus FTP Server 4.0.3 and higher includes support for DSA certificates.  Unlike RSA certificates, DSA certificates cannot be used for key exchange and require additional Diffie-Hellman (DH) parameters during key exchange. 

DH parameters are computationally very expensive to generate and it isn’t feasible (or necessary) to generate those parameters in real-time.  Cerberus FTP Server includes DH parameters for 512, 1024, 2048, and 4096 bit keys.  The parameters were pre-generated using strong sources of pseudo-random entropy and are used during DH key exchange to generate new, temporary keys for each SSL session.

Cerberus looks for the DH parameter files in the C:\ProgramData\Cerberus LLC\Cerberus FTP Server\certificates directory.  You can freely replace the included parameter files with your own, pre-generated versions if you desire.  If the existing files are deleted, Cerberus will attempt to re-create the missing files during startup by generating new ones.  This can take a very long time and Cerberus will appear to hang during startup while the files are generated.  Deleting the existing DH parameter files is not recommended.

Elliptical Curve Certificates

Cerberus FTP Server 4.0.3 and higher includes support for elliptical curve (EC) certificates.  These certificates can only be used for FTPS or FTPES connections and will not work for SSH SFTP connections.  Please see this page for more information on elliptical curve cryptography support

| Privacy Policy | Public Forums Disclaimer | Contact Us | ©2010 Cerberus, LLC