WU-FTPD 2.6.1 Release Notes (5900-2465, September 2012)
the server and, if required, the client, and to provide session-level encryption and confidentiality
for the entire session.
• Hash algorithms. These algorithms are a set of one-way functions that accept a variable length
input, and, after mathematical processing, produce a fixed length output. The transformations
of the data produce a fingerprint of the input. The minor changes to the input appear as large
changes in the output. Popular hash algorithms include SHA-1, MD5, and RIPEMD.
Hash algorithms are used for integrity checking; that is, to ensure that data is not tampered
during transmission.
Prerequisites for configuring the TLS/SSL feature
Following are the prerequisites for configuring the TLS/SSL feature:
• The OpenSSL software
OpenSSL is an open source product that offers a general purpose cryptography library and
implementation of the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols. OpenSSL is tested and supported on different HP-UX operating systems. OpenSSL
A.00.09.07m is the latest version of OpenSSL available on the HP-UX 11i v2 operating system.
It is available to download at http://www.software.hp.com.
The release notes for OpenSSL A.00.09.07m is available at www.hp.com/go/
hpux-security-docs. On this page, select HP-UX OpenSSL Software.
• The WU-FTPD 2.6.1 TLS enhancement bundle
The FTP-TLS enhancement bundle, ftp-ssl-ncf, contains TLS enhancement libraries for the
FTP client and server. The ftp(1) client and the ftpd(1M) server use these enhancement libraries
with OpenSSL to perform security operations.
Certificates and authorities
A certificate is a collection of information that uniquely identifies a client or a server. It includes
descriptive fields, such as the name of an organization and its location, and cryptographic
information, such as keys and signatures.
The private key of an asymmetrical key pair can be used to sign the content that, when decrypted
using the public key, establishes the signature. This signature can be used to offer proof of identity.
The public key infrastructure (PKI) uses a hierarchy of trustworthiness for the validation of identities,
in addition to signing certificates and keys. This is in contrast to the web of trust used in pretty
good protection (PGP), which has no central authority.
The central authority in a PKI issues a Certificate Authority (CA), a definitive certificate that contains
the information and the public key of the server. This CA can be used to sign other certificates, by
signing the public key of a requesting body, such as your server, with the private key. The trust in
identity is transitive, because the CA is recognized by all the involved parties as authoritative: "I
trust the CA, and the CA says that it is you, so it must be true."
Certificates can be revoked because of expiration or compromise in security. To do this, the issuing
body provides a certificate revocation list (CRL) that identifies the certificates to be invalidated.
This is also trusted because strong proof is provided through the trust mechanisms.
Certificates are available in different formats, though Privacy Enhanced Mail (PEM) is the most
widely used format. The PEM encoding is an ASCII text representation of the binary data in the
ASN.1 format. The X.509 standard defines the distinguished name (DN) format used in these
certificates.
A certificate contains the following information that accompanies the cryptographic keys:
• Common name (CN) being certified
• Organization (O) associated
6 WU-FTPD 2.6.1 Release Notes