TLSRequired

Name

TLSRequired -- Require SSL/TLS on the control and/or data channel

Synopsis

TLSRequired [ on | off | ctrl | data | auth | auth+data]

Default

off

Context

server config, <Global>, <VirtualHost>

Module

mod_tls

Compatibility

1.2.7rc1 and later

1.3.1rc1 and later provide the auth and auth+data options

Description

The TLSRequired directive is used to define a basic security policy, one that dictates whether the control channel, or data channel, or both, of an FTP session must occur over SSL/TLS.

The "on" parameter enables SSL/TLS requirements on both control and data channels; "off" disables the requirements on both channels. Use "ctrl" and "data" to require SSL/TLS on either channel individually.

The "auth" parameter requires that SSL/TLS be used on the control channel, but only for authentication. To use this setting and require SSL/TLS for data transfers, use the "auth+data" parameter.

This "auth+data" parameter allows a very specific security policy: authentication via the USER/PASS commands must be protected via SSL/TLS, as must the data channel, but after authenticating, the client can request that protection be removed from the control channel. This policy allows clients to use the CCC (Clear Command Channel) command, which in turn enables SSL/TLS protected data transfers that are operate better with firewalls that monitor the FTP control channel.

See also

Examples

  # Require SSL/TLS on the control channel, so that passwords are not sent
  # in the clear.
  TLSRequired ctrl

  # Require SSL/TLS on both channels.
  TLSRequired on

  # Allow the client to use the CCC command to remove SSL/TLS from the
  # control channel, but only after authentication has been performed.
  # Still enforce the policy of using SSL/TLS for data transfers.
  #
  # Note that if we did not need to protect data transfers, we would
  # set 'TLSRequired auth' instead of using 'TLSRequired auth+data'.
  TLSRequired auth+data