Application-level Gateway supports the STARTTLS method for encrypting connections. STARTTLS support can be configured separately for the client- and server side. Currently, the following proxies support STARTTLS: Ftp proxy (to start FTPS sessions), Smtp proxy.
STARTTLS is enabled by default in the following encryption scenarios:
ClientOnlyStartTLSEncryption: STARTTLS is enabled on the client-side, but the server-side connection will not be encrypted.
FakeStartTLSEncryption: STARTTLS is enabled on the client-side, the server-side connection is always encrypted.
ForwardStartTLSEncryption: STARTTLS is enabled on the client-side, and Application-level Gateway forwards the request to the server.
| Example 3.12. Configuring FTPS support |
|---|
|
This example is a standard FtpProxy with FTPS support enabled. class FtpsProxy(FtpProxy):
def config(self):
FtpProxy.config(self)
self.max_password_length=64
EncryptionPolicy(
name="ForwardSTARTTLS",
encryption=ForwardStartTLSEncryption(
client_verify=ClientCertificateVerifier(),
client_tls_options=ClientTLSOptions(),
server_verify=ServerCertificateVerifier(),
server_tls _options=ServerTLSOptions(),
client_certificate_generator=DynamicCertificate(
private_key=PrivateKey.fromFile(key_file_path="/etc/key.d/VMS_Engine/key.pem"),
trusted_ca=Certificate.fromFile(certificate_file_path="/etc/ca.d/certs/my-trusted-ca-cert.pem", private_key=PrivateKey.fromFile("/etc/ca.d/keys/my-trusted-ca-cert.pem")),
untrusted_ca=Certificate.fromFile(certificate_file_path="/etc/ca.d/certs/my-untrusted-ca-cert.pem", private_key=PrivateKey.fromFile("/etc/ca.d/keys/my-untrusted-ca-cert.pem")))))
def demo() :
Service(name='demo/MyFTPSService', router=TransparentRouter(), chainer=ConnectChainer(), proxy_class=FtpsProxy, max_instances=0, max_sessions=0, keepalive=V_KEEPALIVE_NONE, encryption_policy="ForwardSTARTTLS")
Rule(rule_id=2,
proto=6,
service='demo/MyFTPSService'
)
|
Copyright: © 2021 Balasys IT Security
Send your comments to support@balasys.hu
