8.6.2 SSL/TLS (FTP Options)

These are available if you open the Security Properties dialog box from the FTP Client.

You will not see this tab if your Micro Focus product does not include the Reflection FTP Client.

The Secure Sockets Layer protocol (SSL) and its compatible successor, the Transport Layer Security protocol (TLS), enable a client and server to establish a secure, encrypted connection over a public network. When you connect using SSL/TLS, the client authenticates the server before making a connection, and all data passed between your client and the server is encrypted. Depending on the server configuration, the server may also authenticate the client.

The options are:

Use SSL/TLS Security

Enables SSL/TLS connections. You must select this before you can set other values on the SSL/TLS tab. When Use SSL/TLS security is selected, FTP Client will only connect to the host if a secure SSL/TLS connection can be established.

Before making an SSL/TLS connection, FTP Client must authenticate the host. Authentication is handled through the use of digital certificates. These certificates are part of the same Public Key Infrastructure (PKI) that is used to secure internet transactions. Your computer must be configured to recognize the digital certificate presented by your host and, if necessary, to provide a certificate for client authentication. If your computer is not properly configured, or if the certificates presented for authentication are not valid, you will not be able to make SSL/TLS connections. Depending on how a host certificate was issued, you may need to install a certificate on your local computer.

SSL/TLS version

Specifies which SSL or TLS version to use.

Encryption Strength

Specify the desired level of encryption for SSL/TLS connections. The connection will fail if this level cannot be provided.

If you select Recommended ciphers, the FTP Client will negotiate with the host system to choose the strongest encryption level supported by both the host and the client. This new setting will contain the recommended encryption level from Micro Focus, and will change periodically.

If you are running in FIPS mode and select Recommended Ciphers, the FTP Client will negotiate using only FIPS compliant encryption levels.

If you select Custom ciphers, you will be prompted to select from a list of available ciphers in the Custom Ciphers list view.

NOTE:Session files from previous versions of Reflection that use default, 168, 128 or 256 bit Encryption Strength will be imported as Custom Ciphers and maintain the list that was used in prior versions for those settings options.

Run in FIPS mode

When you run in FIPS mode, all connections are made using security protocols and algorithms that meet FIPS 140-2 standards. In this mode some standard connection options are not available. A FIPS mode icon is visible on the status bar when a connection is made using FIPS mode.

NOTE:Selecting Run in FIPS mode on the SSL/TLS tab enforces FIPS mode only for the connection currently being configured. Administrators can use Group Policies to enforce FIPS mode for all connections.

Encrypt Data Stream

Specifies whether or not data is encrypted when the FTP client is configured to use SSL/TLS encryption. When this checkbox is selected, all communication between your computer and the FTP server is encrypted. When this checkbox is cleared, the FTP command channel (which is used for all FTP commands, including your user name and password) is encrypted. However, the data channel (which is used for directory listings and the contents of the files you transfer) is not encrypted.

Clear command channel

When this is enabled, FTP Client sends a CCC command to the host. If the host supports this option, this turns off encryption for the command channel only.

Retrieve and validate certificate chain

Specifies whether certificates presented for host authentication are checked to determine if they are valid and signed by a trusted CA.

CAUTION:Disabling this option can make connections vulnerable to man-in-the-middle attacks, which could compromise the security of the connection.

Use Reflection security poxy

Select this option to use a centralized management server (available separately from Micro Focus) to manage sessions launched from the Administrative WebStation.

Implicit SSL/TLS Connection

By default the FTP Client makes SSL/TLS connections using Explicit security. In order to establish the SSL connection, explicit security requires that the FTP client issue a specific command (AUTH TLS) to the FTP server after establishing a connection. If the server gives a success response, the client begins the TLS negotiation. The default FTP server port (21) is used.

When you select Implicit SSL/TLS Connection, the FTP Client uses Implicit security. Implicit security automatically begins with an SSL connection as soon as the FTP client connects to the server; no AUTH TLS command is sent prior to the TLS negotiation.

By default, the FTP Client uses port 990 for Implicit connections.

Connect through NAT server

Select this setting if your FTP Client connects through a NAT (Network Address Translation) server. When this setting is selected, the FTP Client ignores IP addresses in FTP commands returned from the server.

Security Proxy Server Settings

You can use settings under Use security proxy if you use a centralized management server (available separately from Micro Focus) to manage sessions and you launched this session from the Administrative WebStation. With these options, your session connects to your host via the Security Proxy included with the centralized management server. You can use this Security Proxy to configure secure connections even if your host is not running an SSL/TLS-enabled Telnet server. (Some of these settings are only visible when using the Administrative WebStation.)


  • When the Security Proxy is used, the connection between the client and the Security Proxy server is secured and encrypted using the SSL/TLS protocol. By default, the information sent between the proxy server and the destination host is in the clear. If you enable the End-to-End encryption option (available for 5250, 3270, and VT sessions), information sent between the Security Proxy the destination host is also encrypted. ( End-to-End encryption requires that the host support SSL/TLS.)

  • If you configure sessions that connect through the Security Proxy with authorization enabled, users must log on to the centralized management server server before they can connect using these sessions.

Use Security proxy

Configure this session to use the Security Proxy for the server connection.

Proxy name

Select the proxy server name from the drop-down list shows, which shows available servers.

Proxy port

Select the proxy server port from the drop-down list.