Application-level Gateway supports the STARTTLS method for encrypting connections. STARTTLS support can be configured separately for the client- and server side. Currently, the following proxies support STARTTLS: Ftp proxy (to start FTPS sessions), Smtp proxy.
STARTTLS is enabled by default in the following encryption scenarios:
ClientOnlyStartTLSEncryption: STARTTLS is enabled on the client-side, but the server-side connection will not be encrypted.
FakeStartTLSEncryption: STARTTLS is enabled on the client-side, the server-side connection is always encrypted.
ForwardStartTLSEncryption: STARTTLS is enabled on the client-side, and Application-level Gateway forwards the request to the server.
Example 3.3. Configuring FTPS support |
---|
This example is a standard FtpProxy with FTPS support enabled. class FtpsProxy(FtpProxy): def config(self): FtpProxy.config(self) self.max_password_length=64 EncryptionPolicy(name="ForwardSTARTTLS", encryption=ForwardStartTLSEncryption(client_verify=ClientCertificateVerifier(), client_ssl_options=ClientSSLOptions(), server_verify=ServerCertificateVerifier(), server_ssl_options=ServerSSLOptions(), client_certificate_generator=DynamicCertificate(private_key=PrivateKey.fromFile(key_file_path="/etc/key.d/ZMS_Engine/key.pem"), trusted_ca=Certificate.fromFile(certificate_file_path="/etc/ca.d/certs/my-trusted-ca-cert.pem", private_key=PrivateKey.fromFile("/etc/ca.d/keys/my-trusted-ca-cert.pem")), untrusted_ca=Certificate.fromFile(certificate_file_path="/etc/ca.d/certs/my-untrusted-ca-cert.pem", private_key=PrivateKey.fromFile("/etc/ca.d/keys/my-untrusted-ca-cert.pem"))))) def demo() : Service(name='demo/MyFTPSService', router=TransparentRouter(), chainer=ConnectChainer(), proxy_class=FtpsProxy, max_instances=0, max_sessions=0, keepalive=Z_KEEPALIVE_NONE, encryption_policy="ForwardSTARTTLS") Rule(rule_id=2, proto=6, service='demo/MyFTPSService' ) |
Published on June 04, 2020
© 2007-2019 BalaSys
Send your comments to support@balasys.hu