Listener Encryption Settings (SSL)

To locate the SSL listener encryption settings, click Server > Listeners. Select the IP address of the listener you want to open and click Edit SSL Settings.

  • SSL type (Clear Only enabled by default). Select the type of SSL connection to attempt when a request comes in to the current listener.
    • Clear only. No SSL connection is allowed.
    • SSL enabled. An SSL connection is made after the client connects and issues the appropriate command. If the SSL command is not issued and you are not forcing SSL, the connection is made as a standard FTP connection.
    • Implicit SSL. An SSL connection is made immediately upon connection. With Implicit SSL, it is impossible for a non-SSL connection to be made on this listener. The default port for Implicit SSL listeners is 990.
  • SSL certificate. Displays the SSL certificate currently applied to the current listener. This is the SSL certificate that the server sends to identify itself to client that connect to this listener. To select an SSL certificate, click Select.
    Note: If you are using a chained certificate (usually imported from a Certificate Authority), you should enter the primary and secondary CA certificates as Trusted Authorities. This will ensure that WS_FTP recognizes the certificate chain.
  • Request client certificate. If selected, the listener will request an SSL client certificate before allowing the user to authenticate. In order for the client to authenticate, the client certificate must be signed by a certificate in the Trusted Authorities list.
  • SSL security level. Select the TLS version that you want to allow clients to use to connect.
    • Enable TLS 1.2 (selected by default). Select this option to allow clients to connect using TLS 1.2.
    • Enable TLS 1.3 (selected by default). Select this option to allow clients to connect using TLS 1.3.

Ciphers associated with this listener

The ciphers are used to negotiate SSL connections with the remote server. The Cipher lists allows you to choose which ciphers are permissible, and the order of preference.

The following ciphers are enabled by default. Less secure ciphers are disabled by default on new and upgrade installations.

Cipher suite

List

TLS 1.3
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256

ECDHE (TLS 1.2)
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA
  • ECDHE-RSA-AES128-SHA
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-ECDSA-AES256-CCM
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-AES128-CCM
  • ECDHE-ECDSA-AES256-CCM8
  • ECDHE-ECDSA-AES128-CCM8

DHE (TLS 1.2)
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-CHACHA20-POLY1305
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES256-SHA256
  • DHE-RSA-AES128-SHA256
  • DHE-RSA-AES256-SHA
  • DHE-RSA-AES128-SHA

RSA (TLS 1.2)
  • AES256-GCM-SHA384
  • AES128-GCM-SHA256
  • AES256-SHA256
  • AES128-SHA256
  • AES256-SHA
  • AES128-SHA

Trusted Authorities

The Trusted Authorities list contains a list of certificates which the server trusts to sign client certificates. When Request client certificate is enabled and a client attempts an SSL connection, the server prompts the client for a client certificate. The server then checks to see if the client certificate is signed by any of the certificates in the trusted authorities list. If not, the connection is terminated.
  • To add a certificate to this list, click Add.
  • To remove a certificate from this list, click Remove.