S

    This page covers how to enable FTPS (FTP over TLS) in unFTP, including generating certificates, configuring TLS on control and data channels, and setting up mutual TLS (mTLS) with client certificates.

    Start by generating a self signed certificate

    openssl req \
   -x509 \
   -newkey rsa:2048 \
   -nodes \
   -keyout unftp.key \
   -out unftp.crt \
   -days 3650 \
   -subj '/CN=www.myunftp.domain/O=My Company Name LTD./C=NL'

    The run unFTP, pointing it to the certificate and key. You can use the --ftps-required-on-control-channel setting to enforce TLS on the FTP control channel. In other words an FTP client will only be allowed to use FTP commands if it upgrades to a private TLS connection.

    ./unftp \
  --root-dir=/home/unftp/data \
  --ftps-certs-file=/home/unftp/unftp.crt \
  --ftps-key-file=/home/unftp/unftp.key \
  --ftps-required-on-control-channel=all

    Setting up Mutual TLS

    Create Server Root Key and Certificate:

    openssl genrsa -out unftp_client_ca.key 2048
openssl req -new -x509 -days 365 \
	-key unftp_client_ca.key \
        -subj '/CN=unftp-ca.mysite.com/O=bol.com/C=NL' \
	-out unftp_client_ca.crt

    Create a client side key:

    openssl genrsa -out client.key 2048

    Create a client side certificate signing request (CSR):

    openssl req -new -sha256 \
    -key client.key \
    -subj '/CN=unftp-client.mysite.com/O=bol.com/C=NL' \
    -reqexts SAN \
    -config <(cat /etc/ssl/openssl.cnf \
        <(printf "\n[SAN]\nsubjectAltName=DNS:localhost")) \
    -out client.csr

    Sign the certificate with our own CA

    openssl x509 -req \
  -in client.csr \
  -CA unftp_client_ca.crt \
  -CAkey unftp_client_ca.key \
  -CAcreateserial \
  -extfile <(printf "subjectAltName=DNS:localhost") \
  -out client.crt \
  -days 1024 \
  -sha256

    Run unFTP pointing to the CA cert:

    unftp \
  --root-dir=/home/unftp/data \
  --ftps-certs-file=/home/unftp/unftp.crt \
  --ftps-key-file=/home/unftp/unftp.key \
  --ftps-required-on-control-channel=all \
  --ftps-client-auth=require \
  --ftps-trust-store=/Users/xxx/unftp/unftp_client_ca.crt

    From another terminal: Connect with CURL, sending the client certificate:

    curl -v \
  --insecure \
  --user 'test:test' \
  --ftp-ssl --ssl-reqd \
  --ftp-pasv --disable-epsv \
  --cacert unftp_client_ca.crt \
  --cert client.crt \
  --key client.key \
  --cert-type PEM \
  --pass '' \
  --tlsv1.2 \
  ftp://localhost:2121/

    Now that we've covered FTPS/TLS configuration, you may want to explore cloud storage options or configure authentication methods.

    On this page

    Powered by Doctave