Securing FTP with TLS

摘要

This document describes a mechanism that can be used by FTP clientsand servers to implement security and authentication using the TLSprotocol defined by [RFC-2246] and the extensions to the FTP protocoldefined by [RFC-2228]. It describes the subset of the extensionsthat are required and the parameters to be used; discusses some ofthe policy issues that clients and servers will need to take;considers some of the implications of those policies and discussessome expected behaviours of implementations to allow interoperation.This document is intended to provide TLS support for FTP in a similarway to that provided for SMTP in [RFC-2487] and HTTP in [RFC-2817].TLS is not the only mechanism for securing file transfer, however itdoes offer some of the following positive attributes:1. Flexible security levels. TLS can support confidentiality,integrity, authentication or some combination of all of these.This allows clients and servers to dynamically, during a session,decide on the level of security required for a particular datatransfer,2. It is possible to use X.509 certificates to authenticate clientusers and not just client hosts.3. Formalised public key management. By use of X.509 publiccertificates during the authentication phase, certificatemanagement can be built into a central function. Whilst this maynot be desirable for all uses of secured file transfer, it offersadvantages in certain structured environments.4.Co-existence and interoperation with authentication mechanismsthat are already in place for the HTTPS protocol. This allows webbrowsers to incorporate secure file transfer using the sameinfrastructure that has been set up to allow secure web browsing.The TLS protocol is a development of the Netscape CommunicationCorporation's SSL protocol and this document can be used to allow theFTP protocol to be used with either SSL or TLS. The actual protocolused will be decided by the negotiation of the protected session bythe TLS/SSL layer. This document will only refer to the TLSprotocol, however, it is understood that the Client and Server MAYactually be using SSL if they are so configured.Note that this specification is in accordance with the FTP RFC[RFC-959] and relies on the TLS protocol [RFC-2246] and the FTPsecurity extensions [RFC-2228].