FTP 7 and SSL Client Certificate Support
One of the little known features of FTP 7.0 and FTP 7.5 is their support for SSL client certificates.
There is no GUI support to configure client certificates for FTP. That makes the feature hard to discover. But client certificate support can be enabled programmatically by one of the many configuration options of IIS 7.
Why to use client certificates with FTP?
There are 2 reasons to consider FTP client certificates.
1) FTP7 forces the client certificates negotiated over control channel and data channel to match. It guarantees that both are originated by the same authorized client. I will not go into much detail, but FTP protocol for legacy reasons needs to maintain 2 connections. One, called control channel, represents the ftp session. The other connection is the data channel and it is typically negotiated for each data transfer (directory listing download, file download, file upload). Authentication is not negotiated for the data channel unless SSL client certificates are used. FTP forces the data and control channel to originate from the same client IP which provides reasonable security check. But in the case where high level of security is required, SSL certificates would be the way to go.
2) SSL client certificates could be used in combination with active directory mapping. That could allow smart card authentication for the FTP publishing.
FTP Configuration settings related to client certificates
Here is a quick description of the configuration element sslClientCertificates.
clientCertificatePolicy (default value: CertIgnore)
- CertIgnore – don’t negotiate client certificates.
- CertAllow - allow client certificate negotiate but don’t force it.
- CertRequire – require client to send a valid client certificate.
useActiveDirectoryMapping (default value: false)
- Allow active directory mapping to be used for FTP authentication. This is analogous to Active Directory Mapping feature supported by IIS for HTTPS requests.
validationFlags (default value: no flags set)
- Validation flags are rarely to be set. They allow customizing the client certificate validation. The values below are analogous to the ones configurable for the HTTPS requests.
- NoRevocationCheck – skip Certificate revocation checks.
- CertChainRevocationCheckCacheOnly – revocation checks are to be performed only against the locally cached CRLs (Certificate Revocation Lists).
- CertChainCacheOnlyUrlRetrieval – lookup intermediate certificates only in local caches to build the full certificate chain .
- CertNoUsageCheck – ignore certificate usage specified in certificate.
revocationFreshnessTime (default: 0 – means that currently cached CRL is to be used unless expired)
- Check if newer CRL is available if currently cached CRL has been downloaded for longer then specified freshness time. For example, if revocationFreshnessTime is set to 1 day, then server will go and check for CRL update once a day even if CRL is valid for 7 days.
revocationUrlRetrievalTimeout (default value 1 minute)
- Specify the timeout for the attempt to download CRL.
Sample of a site configuration
Following sample demonstrates FTP publishing enabled on “Default Web Site”. FTP is configured to require SSL. It is also configured to require valid client certificates (below in bold).
<site name="Default Web Site" id="1">
<virtualDirectory path="/" physicalPath="%SystemDrive%\inetpub\wwwroot" />
<binding protocol="http" bindingInformation="*:80:" />
<binding protocol="ftp" bindingInformation="*:21:" />
<ssl serverCertHash="59C6458F09BD7FF2473C38F3909026872438CC51" controlChannelPolicy="SslRequire" dataChannelPolicy="SslRequire" />
<basicAuthentication enabled="true" />
<sslClientCertificates clientCertificatePolicy="CertRequire" />
Client stacks supporting FTPS with client certificates
System.Net.FtpWebRequest has a built-in support for client certificates (http://msdn.microsoft.com/en-us/library/system.net.ftpwebrequest.clientcertificates(VS.85).aspx).
Also Rebex ftp library supports ssl client certificates.