SecureFTPConnection should be used once secure file transfers are required. FTPConnection and ExFTPConnection do not support secure transfers.
The basic elements of configuring an FTPS connection are:
Validation of Server Certificates
SecureFTPConnection supports three types of validation of server validation as enumerated by SecureFTPServerValidationType:
ServerValidationType |
Description |
None |
No validation of server certificates is performed. |
Automatic |
Operating System services are used to validate certificates and the name on the certificate is checked to make sure that it matches the ServerCommonName of the server that we've connected to. |
AutomaticNoNameCheck |
Operating System services are used to validate certificates but no name checking is performed. |
Usage of server validation is strongly recommended since it virtually eliminates the possibility of communicating with the wrong server. While developing code, however, the programmer might like to postpone any possible certificate validation issues by disabling server validation by using SecureFTPServerValidationType.None.
In SecureFTPServerValidationType.Automatic server validation, the certificate is first checked to see if was issued by one of the CAs whose certificates are installed on the system or, alternatively, if the certificate itself is installed. If so, and the CommonName (CN) value on the certificate matches that of the ServerCommonName property (if set) or the name of the remote host (if ServerCommonName is not set).
SecureFTPServerValidationType.AutomaticNoNameCheck is the same as Automatic but the CommonName on the certificate is not checked.
SecureFTPConnection also provides a visual tool for managing server certificates. This may be used be used from the IDE or it may be invoked at runtime using the method SSLFTPCertificate.ShowCertificateManager.
Loading Client Certificates
In addition to the standard user-name/password authentication, some FTPS servers require clients to present certificates of their own. SecureFTPConnection supports client certificates.
To utilize this functionality, the SecureFTPConnection.ClientCertificate property must be initialized with a certificate that the server will recognize and a matching private key to be used for encryption of data.
Certificates are loaded using the following methods of SSLFTPCertificate:
Method Name |
Certificate Format |
CER |
|
PEM |
|
PFX |
In addition, a certificate must be associated with the private key of the certificate. This is done using the AssociatePrivateKey method which reads private key files of the PVK format. Developers often experience problems when trying to load a private key from a Windows Service. The topic, Private Key Access Problems, discusses this issue.
SecureFTPConnection also provides a visual tool for loading client certificates. This may be used be used from the IDE or it may be invoked at runtime using the method SSLFTPCertificate.PromptForCertificate.
The topic Obtaining Keys and Certificates for instructions on producing keys and certificates. A general overview of private/public keys is presented in the topic Public Key Cryptography.
Cipher Suites
For a client and a server to be able to communicate they must be able to agree on a common cipher suite. A set of cipher suites are enabled by default and in most cases the server will support one of these, meaning that no action is required by the developer. There may be cases where the server doesn't support any of the enabled cipher-suites. If this happens then the library will throw an exception when authentication takes place. It will then be necessary to set the CipherSuites property. By default the property is set such that all ciphers of 128 bits and over are enabled and all ciphers less than 128 bits are disabled. Some servers – particular older servers adhering to the now defunct US export rules – may only support 40 bit encryption. Use of such ciphers is not recommended as they offer relatively poor security. The topic, Selecting Ciphers, offers advice on selection of ciphers.