3.2.6. Enabling STARTTLS

Starting with version 3.3FR1, Zorp supports the STARTTLS method for encrypting connections. STARTTLS support can be configured separately for the client- and server side using the ssl.client_connection_security and ssl.server_connection_security parameters, respectively. The parameters have the following possible values:

Name	Value
SSL_NONE	Disable encryption between Zorp and the peer.
SSL_FORCE_SSL	Require encrypted communication between Zorp and the peer.
SSL_ACCEPT_STARTTLS	Permit STARTTLS sessions. Currently supported only in the Ftp, Smtp and Pop3 proxies.

Table 3.4. Client connection security type.

Name	Value
SSL_NONE	Disable encryption between Zorp and the peer.
SSL_FORCE_SSL	Require encrypted communication between Zorp and the peer.
SSL_FORWARD_STARTTLS	Forward STARTTLS requests to the server. Currently supported only in the Ftp, Smtp and Pop3 proxies.

Table 3.5. Server connection security type.

Note
In Zorp 7, the following proxies support STARTTLS: Ftp proxy (to start FTPS sessions), Smtp proxy.

Example 3.2. Configuring FTPS support
This example is a standard FtpProxy with FTPS support enabled. class FtpsProxy(FtpProxy): def config(self): FtpProxy.config(self) self.max_password_length=64 EncryptionPolicy(name="ForwardSTARTTLS", encryption=ForwardStartTLSEncryption(client_verify=ClientCertificateVerifier(), client_ssl_options=ClientSSLOptions(), server_verify=ServerCertificateVerifier(), server_ssl_options=ServerSSLOptions(), client_certificate_generator=DynamicCertificate(private_key=PrivateKey.fromFile(key_file_path="/etc/key.d/ZMS_Engine/key.pem"), trusted_ca=Certificate.fromFile(certificate_file_path="/etc/ca.d/certs/my-trusted-ca-cert.pem", private_key=PrivateKey.fromFile("/etc/ca.d/keys/my-trusted-ca-cert.pem")), untrusted_ca=Certificate.fromFile(certificate_file_path="/etc/ca.d/certs/my-untrusted-ca-cert.pem", private_key=PrivateKey.fromFile("/etc/ca.d/keys/my-untrusted-ca-cert.pem"))))) def demo() : Service(name='demo/MyFTPSService', router=TransparentRouter(), chainer=ConnectChainer(), proxy_class=FtpsProxy, max_instances=0, max_sessions=0, keepalive=Z_KEEPALIVE_NONE, encryption_policy="ForwardSTARTTLS") Rule(rule_id=2, proto=6, service='demo/MyFTPSService' )

Example 3.2. Configuring FTPS support

This example is a standard FtpProxy with FTPS support enabled.

class FtpsProxy(FtpProxy):
    def config(self):
        FtpProxy.config(self)
        self.max_password_length=64

    EncryptionPolicy(name="ForwardSTARTTLS", encryption=ForwardStartTLSEncryption(client_verify=ClientCertificateVerifier(), client_ssl_options=ClientSSLOptions(), server_verify=ServerCertificateVerifier(), server_ssl_options=ServerSSLOptions(), client_certificate_generator=DynamicCertificate(private_key=PrivateKey.fromFile(key_file_path="/etc/key.d/ZMS_Engine/key.pem"), trusted_ca=Certificate.fromFile(certificate_file_path="/etc/ca.d/certs/my-trusted-ca-cert.pem", private_key=PrivateKey.fromFile("/etc/ca.d/keys/my-trusted-ca-cert.pem")), untrusted_ca=Certificate.fromFile(certificate_file_path="/etc/ca.d/certs/my-untrusted-ca-cert.pem", private_key=PrivateKey.fromFile("/etc/ca.d/keys/my-untrusted-ca-cert.pem")))))

    def demo() :
        Service(name='demo/MyFTPSService', router=TransparentRouter(), chainer=ConnectChainer(), proxy_class=FtpsProxy, max_instances=0, max_sessions=0, keepalive=Z_KEEPALIVE_NONE, encryption_policy="ForwardSTARTTLS")

    Rule(rule_id=2,
    proto=6,
    service='demo/MyFTPSService'
    )

Previous	Up	Next
	Home

Zorp GPL 7 Reference Guide

3.2. Configuring TLS and SSL encrypted connections

3.2.6. Enabling STARTTLS