| At line 1 changed one line |
| On this page can issue an SSL cert and tweak SSL ciphers. |
| !SSL / TLS\\ |
| If you already have a JKS, PFX, or PKCS12 keystore file, you do __not__ need to import this. This is a complete file and ready for CrushFTP to use. Just browse and choose this file, entering the password twice.\\ |
| The top half of the page allows you to generate a new certificate by doing all 3 __Steps__ in order. [SSLCerts]\\ |
| At line 5 changed one line |
| In the upper half of the page can issue a new cert by doing all 3 __Steps__ or apply an existing keystore, as per our [SSL Cert|SSLCerts] wiki.\\ |
| The __Advanced__ section allows changing supported SSL cipher groups or enabling/disabling individual ciphers.\\ |
| At line 7 changed one line |
| The __Advanced__ section allows changing supported SSL cipher groups or tweak individual ciphers.\\ |
| CrushFTP supports SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3.\\ |
| TLSv1.3 requires Java 17+. We recommend only using TLSv1.2 and TLS v1.3. (TLS session resumption for FTPS/FTPES is only supported by TLSv1.3 and Java 17+.)\\ |
| At line 9 changed one line |
| __TLS versions__ field defines the supported cipher groups for all SSL __server__ ports: HTTPS, WEBDAVS, FTPS, FTPES.\\ |
| __TLS versions__ field defines the supported TLS versions the server ports will use: HTTPS, FTPS, FTPES.\\ |
| At line 11 changed one line |
| __TLS versions client__ field defines the supported cipher groups for all __client__ mode: CrushTask task items, remote user VFS of HTTPS, WEBDAVS, FTPS, FTPES type, the AS2 protocol, SMTP relay connector.\\ |
| __TLS versions client__ field defines the supported TLS versions for all outbound __client__ connections. This includes SMTP, HTTPS (outbound), FTP(S)(ES) (outbound), etc connections globally throughout the application.\\ |
| At line 13 changed one line |
| CrushFTP v10 supports SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3, while TLSv1.3 ciphers require Java 17+.\\ |
| __Require valid client certificate__ , this is a rare feature when a remote server or your server is enforcing client [client cert|client certificate] authentication SSL/TLS. This should be configured individually on the server port instead of globally.\\ |
| At line 15 changed 5 lines |
| __REMINDER:__ TLS session resumption for Implicit FTPS is only supported by TLSv1.3, when using this protocol either in client or server mode, need to tweak the cipher groups accordingly.\\ |
| \\ |
| __Require valid client certificate__ , usually never need to turn it on, enforces client [client cert|client certificate] authentication for all SSL ports.\\ |
| \\ |
| The __All insecure ciphers__ link will move all non-A rated ciphers into the __Disabled ciphers__ list, we update the strength policy by CrushFTP updates as new ciphers come in existence or vulnerabilities are discovered in existing ones.\\ |
| The __All insecure ciphers__ link will move all non 'A' rated ciphers into the __Disabled ciphers__ list, we update the strength policy by CrushFTP updates as new ciphers come into existence or vulnerabilities are discovered in existing ones.\\ |
