此内容没有您所选择的语言版本。
26.2.4. Encrypting vsftpd Connections Using TLS
In order to counter the inherently insecure nature of
FTP
, which transmits user names, passwords, and data without encryption by default, the vsftpd
daemon can be configured to utilize the TLS
protocol to authenticate connections and encrypt all transfers. Note that an FTP
client that supports TLS
is needed to communicate with vsftpd
with TLS
enabled.
Note
SSL
(Secure Sockets Layer) is the name of an older implementation of the security protocol. The new versions are called TLS
(Transport Layer Security). Only the newer versions (TLS
) should be used as SSL
suffers from serious security vulnerabilities. The documentation included with the vsftpd server, as well as the configuration directives used in the vsftpd.conf
file, use the SSL
name when referring to security-related matters, but TLS
is supported and used by default when the ssl_enable
directive is set to YES
.
Set the
ssl_enable
configuration directive in the vsftpd.conf
file to YES
to turn on TLS
support. The default settings of other TLS
-related directives that become automatically active when the ssl_enable
option is enabled provide for a reasonably well-configured TLS
set up. This includes, among other things, the requirement to only use the TLS
v1 protocol for all connections (the use of the insecure SSL
protocol versions is disabled by default) or forcing all non-anonymous logins to use TLS
for sending passwords and data transfers.
Example 26.1. Configuring vsftpd to Use TLS
In this example, the configuration directives explicitly disable the older
SSL
versions of the security protocol in the vsftpd.conf
file:
ssl_enable=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO
Restart the
vsftpd
service after you modify its configuration:
~]# service vsftpd restart
See the vsftpd.conf(5) manual page for other
TLS
-related configuration directives for fine-tuning the use of TLS
by vsftpd
. Also, see Section 26.2.5, “vsftpd
Configuration Options” for a description of other commonly used vsftpd.conf
configuration directives.