S

    Start by generating a self signed certificate

    openssl req \
   -x509 \
   -newkey rsa:2048 \
   -nodes \
   -keyout unftp.key \
   -out unftp.crt \
   -days 3650 \
   -subj '/CN=www.myunftp.domain/O=My Company Name LTD./C=NL'

    The run unFTP, pointing it to the certificate and key. You can use the --ftps-required-on-control-channel setting to enforce TLS on the FTP control channel. In other words an FTP client will only be allowed to use FTP commands if it upgrades to a private TLS connection.

    ./unftp \
  --root-dir=/home/unftp/data \
  --ftps-certs-file=/home/unftp/unftp.crt \
  --ftps-key-file=/home/unftp/unftp.key \
  --ftps-required-on-control-channel=all

    Setting up Mutual TLS

    Create Server Root Key and Certificate:

    openssl genrsa -out unftp_client_ca.key 2048
openssl req -new -x509 -days 365 \
	-key unftp_client_ca.key \
        -subj '/CN=unftp-ca.mysite.com/O=bol.com/C=NL' \
	-out unftp_client_ca.crt

    Create a client side key:

    openssl genrsa -out client.key 2048

    Create a client side certificate signing request (CSR):

    openssl req -new -sha256 \
    -key client.key \
    -subj '/CN=unftp-client.mysite.com/O=bol.com/C=NL' \
    -reqexts SAN \
    -config <(cat /etc/ssl/openssl.cnf \
        <(printf "\n[SAN]\nsubjectAltName=DNS:localhost")) \
    -out client.csr

    Sign the certificate with our own CA

    openssl x509 -req \
  -in client.csr \
  -CA unftp_client_ca.crt \
  -CAkey unftp_client_ca.key \
  -CAcreateserial \
  -extfile <(printf "subjectAltName=DNS:localhost") \
  -out client.crt \
  -days 1024 \
  -sha256

    Run unFTP pointing to the CA cert:

    unftp \
  --root-dir=/home/unftp/data \
  --ftps-certs-file=/home/unftp/unftp.crt \
  --ftps-key-file=/home/unftp/unftp.key \
  --ftps-required-on-control-channel=all \
  --ftps-client-auth=require \
  --ftps-trust-store=/Users/xxx/unftp/unftp_client_ca.crt

    From another terminal: Connect with CURL, sending the client certificate:

    curl -v \
  --insecure \
  --user 'test:test' \
  --ftp-ssl --ssl-reqd \
  --ftp-pasv --disable-epsv \
  --cacert unftp_client_ca.crt \
  --cert client.crt \
  --key client.key \
  --cert-type PEM \
  --pass '' \
  --tlsv1.2 \
  ftp://localhost:2121/

    On this page

    Powered by Doctave