| At line 1 changed one line |
| On this page can __[issue an SSL cert|SSLCerts]__ and tweak SSL cipher suite settings or individual ciphers. |
| !SSL / TLS\\ |
| From this SSL tab, you can generate and import signed certificates into a keystore. [SSLCerts]\\ |
| If you already have a JKS, PFX, or PKCS12 keystore file, you do __not__ need to import this. This is a complete file and ready for CrushFTP to use. browse and choose this file.\\ |
| The top half of the page allows you to generate a new certificate by doing all 3 __Steps__ in order.\\ |
| At line 5 changed one line |
| In the upper half of the page can issue a new cert by doing all 3 __Steps__ or apply an existing keystore, as per our [SSL Cert|SSLCerts] wiki.\\ |
| The __Advanced__ section allows changing supported SSL cipher groups or enabling/disabling individual ciphers.\\ |
| At line 7 changed one line |
| The __Advanced__ section allows changing supported SSL cipher groups or enable/disable individual ciphers.\\ |
| __TLS versions__ field defines the supported TLS versions the server ports will use: HTTPS, FTPS, FTPES.\\ |
| At line 9 changed one line |
| __TLS versions__ field defines the supported cipher groups for all SSL __server__ ports: HTTPS, WEBDAVS, FTPS, FTPES.\\ |
| __TLS versions client__ field defines the supported TLS versions for all outbound __client__ connections. This includes SMTP, HTTPS (outbound), FTP(S)(ES) (outbound), etc connections globally throughout the application.\\ |
| At line 11 changed one line |
| __TLS versions client__ field defines the supported cipher groups for all __client__ mode: CrushTask task items, remote user VFS of HTTPS, WEBDAVS, FTPS, FTPES type, the AS2 protocol, SMTP relay connector.\\ |
| CrushFTP supports SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3. TLSv1.3 requires Java 17+. We recommend only using TLSv1.2 and TLS v1.3. |
| (TLS session resumption for FTPS/FTPES is only supported by TLSv1.3 and Java 17+.)\\ |
| At line 13 changed one line |
| CrushFTP v10 supports SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3, while TLSv1.3 ciphers require Java 17+.\\ |
| __Require valid client certificate__ , this is a rare feature when a remote server or your server is enforcing client [client cert|client certificate] authentication SSL/TLS. This should be configured individually on the server port instead of globally.\\ |
| At line 15 changed 5 lines |
| __REMINDER:__ TLS session resumption for Implicit FTPS is only supported by TLSv1.3, when using this protocol either in client or server mode, need to tweak the cipher groups accordingly.\\ |
| \\ |
| __Require valid client certificate__ , usually never needs to be turned on, enforces client [client cert|client certificate] authentication for all SSL ports. Rather recommanded to use the appropriate settings on specific server listener items instead.\\ |
| \\ |
| The __All insecure ciphers__ link will move all non-A rated ciphers into the __Disabled ciphers__ list, we update the strength policy by CrushFTP updates as new ciphers come in existence or vulnerabilities are discovered in existing ones.\\ |
| The __All insecure ciphers__ link will move all non 'A' rated ciphers into the __Disabled ciphers__ list, we update the strength policy by CrushFTP updates as new ciphers come into existence or vulnerabilities are discovered in existing ones.\\ |
