Configuring Security Settings
The security settings page allows the administrator to configure all aspects of Cerberus FTP Server SSL/TLS and SSH security. To enable TLS/SSL connections between FTP and HTTP clients and the server, you need a server certificate and a private key.
Digital Certificate Support
Cerberus FTP Server supports RSA, DSA and Elliptical Curve (EC) keys. Support for elliptical curve ciphers with FTPS and HTTPS is available with Cerberus FTP Server 6.0 and higher.
There are generally two options for obtaining a digital certificate (with private key):
- You can generate your own self-signed certificate using the Cerberus Create Cert button.
- You can obtain a certificate from a recognized certificate authority (CA)
Which option is more appropriate really depends upon your goals. If you just want to make sure that client and server connections are securely encrypted, then a self-signed certificate is all you need. Self-signed certificates have the benefit of being easily created through Cerberus and are completely free.
If your goal is to make sure that your clients can verify that the server they are connecting to is legitimate, and to ensure that clients do not see any warning messages about being “unable to verify the server”, then you will need to use a certificate signed by a trusted CA. You will have to contact one of the recognized CAs (such as Comodo, Thawte, Verisign, GoDaddy) and request a server certificate. Take a look at our help page on generating Certificate Signing Requests for more information about using a CA-signed certificate.
A note about secure FTP and HTTP connections: Cerberus supports FTPS, FTPES, SFTP, and HTTPS encryption. To establish a secure connection you must connect to the server with a client that supports one of those secure methods. For secure FTPES, FTPS, or SFTP, this will require a dedicated FTP client, not a web browser. No web browsers natively support any type of secure FTP.
We have documentation available that walks you step-by-step through the process of using a self-signed certificate or importing a certificate from a third party certificate authority.
About Certificate Authorities
You only need to worry about setting up and validating against a certificate authority if you (the server) want to authenticate the certificates coming from your FTPS and HTTPS clients. If you are not concerned with verifying your FTPS and HTTPS clients using certificates, then you can safely ignore all of the certificate authority configuration information. Just select the No verification setting (the default). Note: Client certificate verification is completely separate from SSH SFTP public key authentication. SSH SFTP public key authentication is configured on a per user basis.
Cerberus uses the settings here for all secure connections.
These are basic TLS/SSL settings applicable to secure client FTPS, HTTPS, and SSH connections and encrypted HTTPS SOAP messages.
|Enable Explicit TLS/SSL||This must be enabled to allow secure access to the server. NOTE: A certificate and private key must be available before TLS/SSL encryption will be available.|
|Enable FIPS 140-2 Mode||Enable the FIPS 140-2 certified encryption module for Cerberus FTP Server. Selecting this option enables encryption using only FIPS 140-2 certified algorithms. Only available in the Professional and Enterprise edition.|
|Public Certificate||The full path to your public certificate. The public certificate is exchanged with the client during TLS/SSL encryption and is examined by the client to verify the server. Supported key types include RSA, DSA, and Elliptical Curve keys.|
|Private Key||This is the server’s private key. The private key is used to encrypt messages to the client. The client can use the server’s public key to decrypt messages encrypted with the server’s private key. The private key is not sent to the client. If your public and private key are in the same file then set this path to be the same as the Public Certificate.
NOTE: The public and private key can be in the same file. If your public and private key are in the same file then set this path to the same path as your Public Certificate path. Cerberus understands both DER and PEM encoded certificate formats.
|Needs Key Password||Check this option if the digital certificate is encrypted.|
|Password||The key password used to decrypt your digital certificate.|
|CA File||A file containing a PEM-encoded list of Certificate Authorities with which to verify client certificates against. Cerberus FTP Server will also use this file to load and send the entire certificate chain for the server certificate when a client connects. Many CAs call this a CA bundle file.|
|Create Cert||Cerberus will generate a Self-Signed Certificate that will allow encrypted connections.|
|Create CSR||Generates a server private key file, and a CSR file. The server private key is kept on the server, and the CSR is submitted to a Certificate Authority. See this help section on generating a CSR for more information.|
|Verify||Cerberus will attempt to verify that the certificate at the Public and Private key path is recognized and readable with the given password.|
Client Certificate Verification
Cerberus FTP Server can be configured to require FTPS and HTTPS clients to verify themselves using digital certificates. When given a CA file, Cerberus will verify that the client certificate is signed and valid for the given certificate authorities. Cerberus will also make sure the certificate hasn’t been revoked if a CRL is specified. This feature is only available in Cerberus FTP Server Professional and Enterprise edition and currently only applies to FTPS, FTPES, and HTTPS connections.
|No Verification||This is the default option. Cerberus will not require nor will it verify digital certificates|
|Verify Certificate||Cerberus will attempt to verify that the certificate presented by the client is signed and valid. It will compare the certificate against the certificate authorities present in the CA Certificates File. Any FTPS or HTTPS connection attempts without a valid certificate will be denied when this option is selected.|
|CRL File||A file containing a PEM or DER-encoded list of key serial numbers that have been revoked. Note, the CRL must have been signed by the CA certificate.|
Advanced Security Options
|Security Profiles||These are common security settings. Selecting a security profile from the dropdown list will immediately modify the server’s security settings to match that profile.|
|Ignore SSH Window Size||Some SFTP clients do not correctly request an increase in the SSH channel window size. Enabling this option will allow those connections to continue even after exceeding the available channel window space.|
|Require Encryption on SFTP||Although most clients won’t request an unencrypted connection, the SSH protocol does allow it. Check this option to disallow nonencrypted SSH connections. This option should always be enabled for production servers.|
|Server Cipher Preference||During SSL/TLS session negotiation, the connecting client sends an ordered list of cipher suites to the server. The first suite in the list is the one most preferred by the client. Normally, the server honors the client preference by selecting the suite most preferred by the client among the list of suites that both the client and server support.
If this option is selected, the server selects the suite that the server itself most prefers among those that both the client and server support. This can be used to, for example, enforce that the strongest cipher that both the server and client support be used for the connection.
|Verify Client Certificate Common Name||Cerberus can be configured to provide additional post-verification client certificate checking. Specifically, you can require the certificate common name to match the FTP username. This option can be accessed by pressing the Advanced button.
Check the option to enable certificate common name to FTP username checking.
|Do Not Send Server Identification||If this option is checked, the server will use a generic identification string for the welcome message during SSH connections. The server will also omit the server header for HTTP/S connections.|
|SSL Cipher String||The ciphers that Cerberus uses during secure connection negotiation for TLS/SSL can be controlled through a text string. The Test button will list the ciphers available with the given string.
An example string:
The string follows the same cipher string format as the OpenSSL ciphers string.
|SSH Cipher List||The cipher algorithms advertised by Cerberus to clients during secure connection negotiation for SSH2 SFTP. You can select the algorithms you want advertised using this list. A full Cerberus FTP Server Windows Service restart is necessary for changes to this list to take effect.|
|SSH HMAC List||The HMAC algorithms advertised by Cerberus to clients during secure connection negotiation for SSH2 SFTP. You can select the algorithms you want advertised using this list. A full Cerberus FTP Server Windows Service restart is necessary for changes to this list to take effect.|
DSA Certificates and Ephemeral Diffie-Hellman Keys
Cerberus FTP Server 4.0.3 and higher includes support for DSA certificates. Unlike RSA certificates, DSA certificates cannot be used for key exchange (a necessary part of establishing an SSL or SSH connection), and additional pieces of information, known as Diffie-Hellman (DH) parameters, are required to allow key exchange using DSA.
DH parameters are computationally very expensive to generate, and it isn’t feasible (or necessary) to generate those parameters in real-time. Cerberus FTP Server includes DH parameters for 512, 1024, 2048, and 4096 bit keys. The parameters were pre-generated using strong sources of pseudo-random entropy, and are used during DH key exchange to generate new, temporary keys for each SSL session.
Cerberus looks for the DH parameter files in the C:\ProgramData\Cerberus LLC\Cerberus FTP Server\certificates directory. You can freely replace the included parameter files with your own, pre-generated versions if you desire. If the existing files are deleted, Cerberus will attempt to re-create the missing files during startup by generating new ones. This can take a very long time, and Cerberus will appear to hang during startup while the files are generated. Deleting the existing DH parameter files is not recommended.
Elliptic Curve SSH Support
Cerberus FTP Server 4.0.9 and higher support Elliptic Curve Diffie-Hellman (ECDH) key agreement, Elliptic Curve Digital Signature Algorithm (ECDSA), and elliptic curve public keys for SSH SFTP as specified in RFC 5656. Only the required NIST curves at 256, 384, and 521 bits with uncompressed points are currently supported. Please see this page for more information on elliptic curve cryptography support.