Htaccess.io | Htaccess | Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.4

<-
Apache > HTTP Server > Documentation > Version 2.4 > FTP Protocol Support

Securing FTP With TLS

The support for FTP over TLS allows you to run FTP connections securely through TLS encryption and certificate authentication support. Apache mod_ftp supports RFC-compliant TLS support through Apache's own mod_ssl.

See also

top

Introduction

As the FTP protocol was developed long before security through encryption became an important consideration, it was originally designed as a clear-text protocol. Both the command channel and the data channel were, and in many cases remain, unencrypted. Today, this is not desirable since the users' logins and passwords travel in the clear across the network, and could be readily detected by a malicious intruder. Conversely, a user would not easily be able to detect a spoofed server address because the server could not identify itself by certificate.

To address these limitations, the FTP over TLS protocol was developed and became an Internet Standard described in RFC 4217. The FTP over TLS protocol uses TLS connection upgrade, where the client and server negotiate their features and capabilities before upgrading to an encrypted connection.

top

Protocol Description

The mod_ftp module for the Apache HTTP Server aims to implement FTP over TLS as defined by RFC 4217. The RFC describes how the FTP client and server can discover each other's security capabilities and how a client can upgrade an FTP control channel to use TLS protection. This connection upgrade behavior, similar to the SMTP over TLS standard described in RFC 3207, allows an FTP over TLS server to run on the same port as a plaintext FTP server, and offer both plaintext and protected services simultaneously.

The FTP protocol specification dictates that it is up to the client to specify session attributes like the protection level. The server cannot require that the client use TLS, but it can refuse to accept any command from the client until it sends an AUTH TLS FTP command to upgrade the control channel to TLS protection. See the FTPOptions, specifically the RequireSSL option, to make the server refuse any FTP command until a TLS session is established.

The use of TLS allows both the server and client to identify themselves using standard SSL Certificates. Generally, a certificate will be in use on the server, but the server can be configured to request client-side certificates for authentication. RFC 4217 requires that the client send a USER command even if a certificate is presented, but the server may forego requiring a password from the client.

Since the FTP over TLS RFC was published only in 2005, several alternative approaches have arisen to secure file transfer connections. Besides the TLS connection upgrade on a normal FTP connection as defined by the RFC, another popular approach is to define a separate FTP control channel listener that can only be accessed over SSL. An SSL handshake has to be completed before even the first FTP protocol exchange can take place. This approach, known as Implicit SSL, is supported by mod_ftp. Finally, some FTP clients and server support file transfer over SSH. This approach is not supported by mod_ftp.

top

FTP over TLS Support

To implement TLS, mod_ftp uses Apache's mod_ssl. This means that the configuration options for FTP over TLS are not too different from those for HTTPS. In fact, for RFC 4217-based FTP over TLS support, no additional configuration options are necessary above the ones you would use to set up an HTTP over SSL virtual host. Note however that we explicitly turn off AcceptFilter. This is necessary because in FTP the server initiates the protocol conversation and not the client.

LoadModule ftp_module /usr/local/apache2/modules/mod_ftp.so

Listen 21 ftp
AcceptFilter ftp none

LogFormat "%u [%a] %r %>s" ftp_command
LogFormat "%{%b %e %H:%M:%S %Y}t %T %a %B %U %M %F %d %W %u %S %Z %Y" ftp_transfer

<VirtualHost _default_:21>

FTP On
SSLEngine on
SSLCertificateFile conf/server.crt
SSLCertificateKeyFile conf/server.key

ErrorLog logs/ftps_error_log
CustomLog logs/ftps_command_log ftp_command
CustomLog logs/ftps_transfer_log ftp_transfer env=do_transfer_log

 </VirtualHost>

The above shows the simplest possible configuration of a TLS-enabled FTP virtual host. You should not use this in production unless sufficient authentication and access control is added.
top

Implicit SSL Support

The configuration below is similar to the one above, except for the FTPImplicitSSL and the listening port which is 990. The AcceptFilter is set to data, since the conversation starts with an SSL handshake from the client.

LoadModule ftp_module /usr/local/apache2/modules/mod_ftp.so

Listen 990 ftps
AcceptFilter ftps data

LogFormat "%u [%a] %r %>s" ftp_command
LogFormat "%{%b %e %H:%M:%S %Y}t %T %a %B %U %M %F %d %W %u %S %Z %Y" ftp_transfer

<VirtualHost _default_:990>

FTP On
SSLEngine On
FTPImplicitSSL On

SSLCertificateFile ssl/server.crt
SSLCertificateKeyFile ssl/server.key

ErrorLog logs/ftps_error.log

CustomLog logs/ftps_command.log ftp_command
CustomLog logs/ftps_transfer.log ftp_transfer env=do_transfer_log

DocumentRoot "/usr/local/apache2/htdocs"

 </VirtualHost>

The above shows the simplest possible configuration of a TLS-enabled FTP virtual host. You should not use this in production unless sufficient authentication and access control is added.
top

Client Support for FTP over TLS

An ever-growing number of FTP clients implements FTP over TLS, and listing them all is outside the scope of this document. A list can be found on Wikipedia. When selecting a client, do keep in mind that the FTP over SSH protocol (sometimes also called SFTP) is not supported by mod_ftp.

/div>