Security Settings
Configuring Security Settings
The security settings page allows the administrator to configure all aspects of Cerberus FTP Server SSL/TLS security. To enable TLS/SSL connections between FTP and HTTP clients and the server, you need a server certificate and a private key.
Digital Certificate Support
Cerberus FTP Server 4.0 and higher supports RSA, DSA and Elliptical Curve (EC) keys. Support for elliptical curve ciphers with FTPS requires a special Elliptical Curve Cryptography (ECC) build of Cerberus FTP Server.
There are generally two options for obtaining a digital certificate (with private key).
- You can generate your own self-signed certificate using the Cerberus Create Cert button.
- You can obtain a certificate from a recognized Certificate Authority
Which is more appropriate really depends upon your goals. If you just want to make sure that client and server connections are securely encrypted then a self-signed certificate is all you need. It has the benefit of being easily created through Cerberus and completely free.
If your goal is to make sure that your clients can verify that the server they are connecting to is legitimate and to ensure they don't see any warning messages about being "unable to verify the server" then using a certificate signed by a trusted certificate authority is required. You will have to contact one of the recognized Certificate Authorities such as Comodo, Thawte, Verisign or one of the many other recognized Certificate Authorities and request a server certificate (for a price).
A note about secure connections: Cerberus supports FTPS, FTPES, SFTP, and HTTPS encryption. To establish a secure connection you must connect to the server with a client that supports one of those secure methods. For secure FTPES, FTPS, or SFTP, this will require a dedicated FTP client, not a web browser. No web browsers natively support any type of secure FTP.
We have documentation available that walks you step-by-step through the process of using a self-signed certificate or importing a certificate from a third party certificate authority.
About Certificate Authorities
You only need to worry about setting up and validating against a certificate authority if you (the server) want to authenticate the certificates coming from your FTPS and HTTPS clients. If you aren't concerned with verifying your FTPS and HTTPS clients using certificates then you can safely ignore all of the certificate authority configuration information. Just select the No verification setting (the default). Note: Client certificate verification is completely separate from SSH SFTP public key authentication. SSH SFTP public key authentication is configured on a per user basis.
Security settings page of the Server Manager
TLS/SSL Security
Cerberus uses the settings here for all secure connections.
Security Options
These are basic TLS/SSL settings applicable to secure client FTPS, HTTPS, and SSH connections and encrypted HTTPS SOAP messages.
| Enable Explicit TLS/SSL | This must be enabled to allow secure access to the server. NOTE: A certificate and private key must be available before TLS/SSL encryption will be available. |
| Enable FIPS 140-2 Mode | Engaged the FIPS 140-2 certified encryption module for Cerberus FTP Server. Selecting this option enables encryption using only FIPS 140-2 certified algorithms. Only available in the Professional and Enterprise edition. |
| Ignore SSH Window Size | Some SFTP clients do not correctly request an increase in the SSH channel window size. Enabling this option will allow those connections to continue even after exceeding the available channel window space. |
| Require Encryption on SFTP | Although most clients won't request an unencrypted connection, the SSH protocol does allow it. Check this option to disallow nonencrypted SSH connections. |
| Public Certificate | The full path to your public certificate. The public certificate is exchanged with the client during TLS/SSL encryption and is examined by the client to verify the server. Supported key types include RSA, DSA, and Elliptical Curve keys. |
| Private Key | This is the server's private key. The private key is used to encrypt messages to the client. The client can use the server's public key to decrypt messages encrypted with the server's private key. The private key is not sent to the client. If your public and private key are in the same file then set this path to be the same as the
Public Certificate. NOTE: The public and private key can be in the same file. If your public and private key are in the same file then set this path to the same path as your Public Certificate path. Cerberus understands both DER and PEM encoded certificate formats. |
| Needs Key Password | Check this option if the digital certificate is encrypted. |
| Password | The key password used to decrypt your digital certificate. |
| CA File | A file containing a PEM-encoded list of Certificate Authorities with which to verify client certificates against. Cerberus FTP Server will also use this file to load and send the entire certificate chain for the server certificate when a client connects. |
| Create Cert | Cerberus will generate a Self-Signed Certificate that will allow encrypted connections. |
| Verify | Cerberus will attempt to verify that the certificate at the Public and Private key path is recognized and readable with the given password. |
Client Certificate Verification
Cerberus FTP Server can be configured to require FTPS and HTTPS clients to verify themselves using digital certificates. When given a Certificate Authority certificate list, Cerberus will verify that the client certificate is signed and valid for the given Certificate Authorities. Cerberus will also make sure the certificate hasn't been revoked if a CRL is specified. This feature is only available in Cerberus FTP Server Professional and Enterprise edition and currently only applies to FTPS, FTPES, and HTTPS connections.
| No Verification | This is the default option. Cerberus will not require nor will it verify digital certificates |
| Verify Certificate | Cerberus will attempt to verify that the certificate presented by the client is signed and valid. It will compare the certificate against the certificate authorities present in the CA Certificates File. Any FTPS connection attempts without a valid certificate will be denied when this option is selected. |
| CA File | A file containing a PEM-encoded list of Certificate Authorities with which to verify client certificates against. |
| CRL File | A file containing a PEM or DER-encoded list of key serial numbers that have been revoked. Note, the CRL must have been signed by the CA certificate. |
Additional Client Certificate Verification Options
Cerberus can be configured to provide additional post-verification client certificate checking. Specifically, you can require the certificate common name to match the FTP username. This option is currently only exposed via the settings.xml configuration file and can be controlled through the following security tag:
<verifyClientCommonName>true</verifyClientCommonName>
Set this option to true to enable certificate common name to FTP username checking.
TLS/SSL Cipher Selection
The ciphers that Cerberus uses during secure connection negotiation can be controlled through a text string in the Cerberus FTP Server settings.xml configuration file. The
<cipherListString>ALL:!LOW:!EXP:!ADH:@STRENGTH</cipherListString>
element follows the same cipher string format as the OpenSSL ciphers string.
DSA Certificates and Ephemeral Diffie-Hellman Keys
Cerberus FTP Server 4.0.3 and higher includes support for DSA certificates. Unlike RSA certificates, DSA certificates cannot be used for key exchange and require additional Diffie-Hellman (DH) parameters during key exchange.
DH parameters are computationally very expensive to generate and it isn’t feasible (or necessary) to generate those parameters in real-time. Cerberus FTP Server includes DH parameters for 512, 1024, 2048, and 4096 bit keys. The parameters were pre-generated using strong sources of pseudo-random entropy and are used during DH key exchange to generate new, temporary keys for each SSL session.
Cerberus looks for the DH parameter files in the C:\ProgramData\Cerberus LLC\Cerberus FTP Server\certificates directory. You can freely replace the included parameter files with your own, pre-generated versions if you desire. If the existing files are deleted, Cerberus will attempt to re-create the missing files during startup by generating new ones. This can take a very long time and Cerberus will appear to hang during startup while the files are generated. Deleting the existing DH parameter files is not recommended.
Elliptic Curve SSH Support
Cerberus FTP Server 4.0.3 and higher includes support for elliptical curve (EC) certificates. Cerberus FTP Server 4.0.9 and higher support Elliptic Curve Diffie-Hellman (ECDH) key agreement, Elliptic Curve Digital Signature Algorithm (ECDSA), and elliptic curve public keys for SSH SFTP as specified in RFC 5656. Only the required NIST curves at 256, 384, and 521 bits with uncompressed points are currently supported. Please see this page for more information on elliptic curve cryptography support.
