Little known features of FTP 7.0 and FTP 7.5 (Part 2 - SSL Client Certificates)

Monday, June 1, 2009

FTP 7 and SSL Client Certificate Support

One of the little known features of FTP 7.0 and FTP 7.5 is their support for SSL client certificates.

There is no GUI support to configure client certificates for FTP. That makes the feature hard to discover. But client certificate support can be enabled programmatically by one of the many configuration options of IIS 7.

Why to use client certificates with FTP?

There are 2 reasons to consider FTP client certificates.

1) FTP7 forces the client certificates negotiated over control channel and data channel to match. It guarantees that both are originated by the same authorized client. I will not go into much detail, but FTP protocol for legacy reasons needs to maintain 2 connections. One, called control channel, represents the ftp session. The other connection is the data channel and it is typically negotiated for each data transfer (directory listing download, file download, file upload). Authentication is not negotiated for the data channel unless SSL client certificates are used. FTP forces the data and control channel to originate from the same client IP which provides reasonable security check. But in the case where high level of security is required, SSL certificates would be the way to go.

2) SSL client certificates could be used in combination with active directory mapping. That could allow smart card authentication for the FTP publishing.

FTP Configuration settings related to client certificates

Here is a quick description of the configuration element sslClientCertificates.

system.applicationHost\sites\<site>\ftpServer\security\sslClientCertificates

clientCertificatePolicy (default value: CertIgnore)

CertIgnore – don’t negotiate client certificates.
CertAllow - allow client certificate negotiate but don’t force it.
CertRequire – require client to send a valid client certificate.

useActiveDirectoryMapping (default value: false)

- Allow active directory mapping to be used for FTP authentication. This is analogous to Active Directory Mapping feature supported by IIS for HTTPS requests.

validationFlags (default value: no flags set)

- Validation flags are rarely to be set. They allow customizing the client certificate validation. The values below are analogous to the ones configurable for the HTTPS requests.

NoRevocationCheck – skip Certificate revocation checks.
CertChainRevocationCheckCacheOnly – revocation checks are to be performed only against the locally cached CRLs (Certificate Revocation Lists).
CertChainCacheOnlyUrlRetrieval – lookup intermediate certificates only in local caches to build the full certificate chain .
CertNoUsageCheck – ignore certificate usage specified in certificate.

revocationFreshnessTime (default: 0 – means that currently cached CRL is to be used unless expired)

- Check if newer CRL is available if currently cached CRL has been downloaded for longer then specified freshness time. For example, if revocationFreshnessTime is set to 1 day, then server will go and check for CRL update once a day even if CRL is valid for 7 days.

revocationUrlRetrievalTimeout (default value 1 minute)

- Specify the timeout for the attempt to download CRL.

Sample of a site configuration

Following sample demonstrates FTP publishing enabled on “Default Web Site”. FTP is configured to require SSL. It is also configured to require valid client certificates (below in bold).

Client stacks supporting FTPS with client certificates

System.Net.FtpWebRequest has a built-in support for client certificates (http://msdn.microsoft.com/en-us/library/system.net.ftpwebrequest.clientcertificates(VS.85).aspx).

Also Rebex ftp library supports ssl client certificates.

FTP 7 and SSL Client Certificate Support

Why to use client certificates with FTP?

FTP Configuration settings related to client certificates

Sample of a site configuration

Client stacks supporting FTPS with client certificates

No Comments