Opened 15 years ago

Last modified 6 years ago

#2246 closed Feature request

Enable SSL/TLS-Only Connections

Reported by: showergel Owned by:
Priority: normal Component: Other
Keywords: Cc: showergel, Tim Kosse, Christian Schroeder
Component version: Operating system type:
Operating system version:

Description

There should be a mechanism which does one or the other
of the following:

(Easy, Preferred, global setting)
In the General Settings Options menu, there should be a
menu which will allow specific kinds of access to the
FTP server. It could include checkboxes for the types
of access the adminstrator desires such as "Standard"
for usual port 21 activity, "SSL" to enable only ssl,
"TLS" to enable only tls. It should also have the
ability to select one at a time, a combination of two,
or all three. This would give the administrator the
ability to only permit secure access, restrict to one
method of secure commication, allow open access, or any
combination of the former. FileZilla Server 0.96a's
default behavior is to accept and allow all connections
despite SSL/TLS being enabled. Therefore the
administrator cannot restrict to secure-only
communication, the user has to make that choice in
their FTP client.

(Difficult, Admins get more control, per user/group
setting)
Give the ability for specific users/groups to access
various folders to which their respective groups/users
permit access depending on if the session is open or
encrypted.
Example:
User1 belongs to Group1 and Group2. Group1 is the
user's home folder with public access. Group2 is a
data-sensitive folder that requires an encrypted
connection to gain access. If user is logged in with
standard ftp access, the user will be denied access to
Group2 until the user logs in with SSL/TLS.

I am *very* pleased with the current release, this
feature request will bring FileZilla server up to
corporate standards where security is a prerequisite.

Change History (7)

comment:1 Changed 15 years ago by Tim Kosse

What you can do, is to leave the listen ports input box on
the general page in the settings dialog empty. That way if
you have enabled SSL, FileZilla Server can only accept
SSL/TLS connections.

comment:2 Changed 15 years ago by showergel

When following that advice and leaving the listen ports in
the input box empty, FileZilla server 0.96a reports the
following on the main screen:

FileZilla Server version 0.9.6a beta
Copyright 2001 by Tim Kosse (Tim.Kosse@…)
Connecting to server...
Connected, waiting for authentication
Logged on
Retrieving settings, please wait... (going into settings)
Done retrieving settings
Sending settings, please wait... (removed port 21)
Done sending settings.
Closing all listening sockets
Failed to create a listen socket on any of the specified
ports. Server is not online!

...the Active option under the Server menu item will not
check itself/become active. FileZilla client reports this
after changing the server (even if explicitly specifying SSL
port 990):

Status: Connecting to 192.168.0.250 ...
Error: Unable to connect!
Error: Interrupted by user!
Status: Connecting to 192.168.0.250:990 ...
Error: Unable to connect!
Error: Interrupted by user!

The server side doesn't see the request. I checked firewall
settings and they match FZ Server, ports 21, 990, and range
10000-10100 for PASV mode. The server just isn't listening
for anything once the general settings port listen field is
emptied.

comment:3 Changed 14 years ago by Christian Schroeder

I concur that this is what happens. I'd love to be able to
switch off conventional ftp.

comment:4 Changed 14 years ago by Tim Kosse

To disable unencrypted connections, just leave leave the box
with the normal ftp port empty.

comment:5 Changed 14 years ago by Christian Schroeder

Hi,

I do this and I get

"Failed to create a listen socket on any of the specified
ports. Server is not online!"

...just as showergel reported.

comment:6 Changed 14 years ago by Tim Kosse

Pleaes make sure you're using FileZilla Server 0.9.18. Make
sure there's at least one SSL port set and SSL is enabled.

comment:7 Changed 14 years ago by Christian Schroeder

I'm sorry - I feel like a fool.

Thanks for your patience. It works great now.

Thanks as always.

Note: See TracTickets for help on using tickets.