TLS Certificates and Connections

<< Click to Display Table of Contents >>

Navigation:  Robo-FTP User's Guide > Appendix > Security > Connecting to Secure Sites >

 TLS Certificates and Connections

 

TLS Certificates

A certificate is a digitally signed document that identifies a person, organization, or server and provides a copy of their public key for encryption. The digital signature may either be that of a third party Certificate Authority (CA) or the certificate may have been "self-signed" by its creator. The CA may be a well-known public organization that investigates and verifies the identity of an applicant before signing a certificate on their behalf or it could be software running on a server on your company's internal network. Data encrypted with the certificate's public key can only be decrypted using the private key held by the owner of the certificate.

 

In addition to the signature, a typical digital certificate also contains: the identity of the site, the identity of the person or organization that signed the certificate, the certificate's expiration date, the ID of the algorithm used to create the signature, the public key used for encryption, a cryptographic "thumbprint hash" to ensure that the contents of the certificate have not been modified, and a brief description of the intended purpose of the certificate.

 

TLS Server Certificate vs. Client Certificate

Every type of TLS connection supported by Robo-FTP derives its encryption from a trusted server host certificate while only the most secure connections also require client certificates. The primary purpose of client certificates is to authenticate the user and is used in lieu of a password on some servers. Robo-FTP provides a tool that allows you to generate your own client-side certificate. With Robo-FTP, you can specify a different client certificate for each managed site or define one default client certificate to use whenever a client certificate is required.

 

Trusting a Certificate

Robo-FTP will not establish a TLS connection unless it trusts the server's certificate. Robo-FTP automatically trusts a certificate signed by a previously trusted Certificate Authority. The operating system maintains a list of trusted CAs and Robo-FTP provides a method allowing you to explicitly trust a certificate not on the list.

 

 

TLS Connections

 

Robo-FTP uses the Transport Layer Security (TLS) protocol for FTPS and HTTPS connections. The Secure Sockets Layer (SSL) protocol was developed by Netscape to add privacy, integrity and authentication to the standard HTTP protocol but it ultimately became the normal method for securing almost all internet traffic. After SSL version 3.0, the protocol was renamed to TLS. The process of establishing a TLS connection is sometimes referred to as "negotiation" or a "handshake."

 

Establishing Unilateral Connections

In a unilateral TLS connection, only the server computer provides a certificate. To establish a unilateral connection, Robo-FTP requests a secure connection from a remote site. If the remote server is capable, it responds agreeing to the secure connection and providing a TLS certificate. If Robo-FTP trusts the server's certificate it creates a temporary random encryption key, encrypts it using the server's public key, and sends it back to the server. Because the temporary key was encrypted using the server's public key it can only be decrypted with the server's private key. At this point the temporary key is a secret known only to Robo-FTP and the server. The temporary key is used to encrypt all subsequent communication between Robo-FTP and the server for the duration of the TLS session and is discarded when the session ends.

 

Establishing Bilateral Connections

In some enterprise situations where security is a special concern, the remote server may require Robo-FTP to provide a client certificate to prove your identity before agreeing to the TLS connection. This is known as a bilateral connection or "mutual authentication."  

 

Configuring TLS

Robo-FTP allows for advanced configuration of TLS settings on a per-site basis. Such settings include specifying the minimum and maximum accepted TLS version, allowed ciphers, client hello method, and a number of special options. These settings can be specified through use of the /ssl* options available in the FTPLOGON command, or through the "Advanced TLS" tab for the relevant site.

 

Supported TLS Encryption Technologies

For information about all supported TLS versions, ciphers, and HMACs, see TLS/SSL Encryption.

 

Note: Although the term "SSL" is still widely used for secure connections, an upgraded version known as Transport Layer Security (TLS) is actually in use on most SSL servers and supported by Robo-FTP. Robo-FTP utilizes the OpenSSL library to provide the authentication and encryption found in the SSL/TLS protocol. More about OpenSSL may be found online at www.openssl.org.