Documentation forServ-U File Server

Serv-U Server encryption

Serv-U supports two methods of encrypted data transfer: Secure Socket Layer (SSL) and Secure Shell 2 (SSH2). SSL is used to secure the File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP). SSH2 is a method of securely interacting with a remote system that supports a method of file transfer commonly referred to as SFTP. Despite its name, SFTP does not have anything in common with the FTP protocol itself.

In order for each of these methods of encryption to work, a certificate, a private key, or both must be supplied. SSL requires the presence of both, while SSH2 only requires a private key. If you do not have either of these required files, you can create them in Serv-U.

Encryption options specified at the server level are automatically inherited by all domains. Any encryption option specified at the domain level automatically overrides the corresponding server-level option. Certain configuration options are only available at the server level.

Configure SSL for FTPS and HTTPS

Use an existing certificate

  1. Obtain an SSL certificate and private key file from a certificate authority.
  2. Place these files in a secured directory on the server.
  3. In Serv-U, go to Global > Limits & Settings > Encryption.

  4. Use the appropriate Browse buttons to select both the certificate and private key files.
  5. Enter the password used to encrypt the private key file.
  6. If a CA (Certificate Authority) PEM file has been issued, enter or browse to the file.
  7. Click Save.

If the provided file paths and password are all correct, Serv-U will start to secure FTPS and HTTPS connections using the provided certificate. If the password is incorrect or Serv-U cannot find either of the provided files, an error message is displayed.

Create a new certificate

  1. In Serv-U, go to Global > Limits & Settings > Encryption.
  2. Click Create Certificate.
    The New Certificate Creation window is displayed.

  3. Specify the Certificate Set Name to name each of the files Serv-U creates. For example entering"myName" would result in the creation of:

    myName.crtThe self-signed certificate file. This can be used immediately on the server but is not authenticated by any known certificate authority.
    myName.csrThe certificate request file. This can be provided to a certificate authority for authentication.
    myName.keyThe private key file. This is used to secure both certificate files. It is extremely important that you keep the private key in a safe and secure location. If your private key is compromised, your certificate can be used by malicious individuals.

  4. Specify the output path where these files are to be placed. In most cases, the installation directory is a safe location. For example: C:\ProgramData\SolarWinds\Serv-U\.
  5. Enter the city, state (if applicable), two-digit country code, organization, and unit where file server or corporation is located.
  6. Specify a password for create the private key.
  7. Specify the common name/domain name for the certificate. The IP address or the Fully Qualified Domain Name (FQDN) that users use to connect should be used here.

    If you do not supply the IP address or FQDN used by clients to connect, clients may be prompted that the certificate does not match the domain name to which they are connecting.

  8. Select the required key length. 1024 bits provides best performance, 2048 bits is a good median, and 4096 bits provides best security.
  9. Click Create.
    The three files are now be created in the specified directory.

View the certificate

To view the SSL certificate when it is configured, click View Certificate. All identifying information about the certificate, including the dates during which the certificate is valid, are displayed in a new window.

Advanced SSL options

The advanced SSL options can only be configured at the server level. All domains inherit this behavior, which cannot be individually overridden.

Serv-U now supports SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 and 21 cipher suites, including Camellia, SEED, higher levels of SHA, and GCM cipher suites where encryption and authentication are native rather than two discrete operations. Serv-U also supports other cipher suites which enable perfect forward secrecy (PFS).

You can configure the following in the advanced SSL options:

Disable SSLv3 support

Serv-U supports several different versions of SSL. SSLv2 and SSLv3 have documented security weaknesses making it less secure than TLS. However, it may be necessary to support SSLv2 or SSLv3 for compatibility with exported clients or old client software. Select the relevant option to disable support for the SSLv2 or SSLv3 protocols.

Disable TLSv1.0, TLSv1.1 or TLSv1.2 support

For compatibility reasons, it may be necessary to disable certain versions of TLS. Select the relevant option to disable support for TLSv1.0, TLSv1.1 or TLSv1.2.

To enable or disable specific cipher suites, click Configure Cipher Suites.

You can configure the following cipher suites:

TLSv1.2 only cipher suites

Cipher suites used only by TLSv1.2. If TLSv1.2 is disabled, changing a setting here has no effect.

TLSv1.x and SSLv3 cipher suites

Cipher suites used by SSLv3 and all versions of TLSv1.

FIPS options

Enable FIPS 140-2 mode: FIPS 140-2 is a set of rigorously tested encryption specifications set by the National Institute of Standards and Technology (NIST). Enabling FIPS 140-2 mode limits Serv-U to encryption algorithms certified to be FIPS 140-2 compliant and ensures the highest level of security for encrypted connections.

By enabling FIPS mode, the OpenSSL library of Serv-U will run in FIPS compliant mode.

When FIPS 140-2 mode is enabled, ciphers which are not FIPS compliant are not accepted, and applications which are not FIPS compliant cannot connect to Serv-U.

In practice it means that older hardware and legacy applications which have embedded support for, for example, SSH, may stop working correctly when FIPS mode is enabled. Additionally, non-compliant SSH keys and certificates stop working after enabling FIPS mode.

To avoid these issues, the recommended workflow is to first enable FIPS mode, and then configure your security certificates and SSH private keys to make sure they are FIPS compliant.

For the list of encryption algorithms and ciphers compliant with FIPS, see the NIST website.

SFTP (Secure File Transfer over SSH2)

Use an existing private key

  1. Obtain a private key file.
  2. Place the private key file in a secured directory in the server.
  3. In Serv-U, go to Global > Limits & Settings > Encryption.

  4. Use Browse to select the file.
  5. Enter the password for the private key file.
  6. Click Save.
    After clicking Save, Serv-U will display the SSH key fingerprint associated with the private key.

Create a private key

  1. In Serv-U, go to Global > Limits & Settings > Encryption.
  2. Click Create Private Key.

  3. Enter a name for the private key (for example, MyDomainKey), which is also used to name the storage file.
  4. Enter the output path of the certificate. For example, C:\ProgramData\SolarWinds\Serv-U\
  5. Select the Key Type. The default of DSA is preferred, but RSA is available.
  6. Select the Key Length. 1024 bits provides best performance, 2048 bits is a good median, and 4096 bits provides best security.
  7. Enter the password to use for securing the private key file.
  8. Click Create.

    After you create a new key, Serv-U displays the SSH key fingerprint associated with the new private key.

SSH ciphers, MACs and Key Exchange Algorithms

SSH ciphers CAST-128-cbc, Blowfish-cbc and Triple DES-cbc are disabled by default for security reasons. If your specific security needs dictate that only certain ciphers or MACs can be used, you can individually enable (disable) individually ciphers and MACs by selecting (deselecting) the appropriate ciphers or MACs.