Fact-checked by Grok 2 weeks ago

FTPS

FTPS (File Transfer Protocol Secure), also known as FTP over , is an extension to the (FTP) that incorporates the (TLS) protocol to encrypt both control and connections, thereby providing authentication, confidentiality, and integrity for file transfers over / networks. This secure variant addresses the vulnerabilities of standard FTP, such as transmission of credentials and in , enabling safe exchange of sensitive files between clients and servers. Standardized by the (IETF) in RFC 4217 in October 2005, FTPS leverages FTP's original architecture (RFC 959) while integrating security extensions (RFC 2228) for negotiating protection levels. FTPS supports two operational modes, though explicit mode is the only one defined in the : explicit and the deprecated implicit. In explicit mode, the session begins unencrypted on the standard FTP port 21, allowing the client to issue an AUTH command (e.g., AUTH TLS) to initiate TLS and switch to a protected channel, which provides flexibility for mixed environments. Conversely, implicit mode, a non-standard and deprecated alternative, mandates encryption from the outset, typically on 990, where the TLS handshake occurs immediately upon connection, offering a stricter security posture without initial cleartext exposure but lacking formal IETF specification. Both modes use commands like PROT (to set data protection levels, such as Private for encryption) and PBSZ (to define buffer sizes) to manage secure data flows. While FTPS enhances FTP's usability with encryption, it differs fundamentally from (), which operates as a separate over the (SSH) layer rather than extending FTP. This distinction means FTPS retains FTP's multi-port data connections, potentially complicating configurations, whereas typically uses a single port (22) for simplicity. Despite these challenges, FTPS remains a key for secure in enterprise settings, supported by clients like and servers from vendors such as and , though it is increasingly supplemented or replaced by more streamlined alternatives in modern deployments.

History and Development

Origins in FTP

The (FTP) originated in 1971 when , a graduate student at , authored RFC 114 to facilitate file transfers across the , a precursor to the modern . This early specification laid the groundwork for standardized file exchange among networked hosts, predating the TCP/IP suite. Over the subsequent decade, FTP underwent refinements to align with evolving network architectures, culminating in RFC 959 published in October 1985 by and Joyce Reynolds, which established it as the core standard for reliable file transfers over /. This version emphasized efficient data movement and remote file management but retained the protocol's foundational design, including separate control and data channels. However, FTP's transmission of usernames, passwords, and file contents in rendered it inherently vulnerable to , a concern that intensified with the rapid expansion of the public in the . attacks, such as password sniffing on network traffic, became prevalent by the mid-1990s, allowing unauthorized to credentials without detection. Additionally, the protocol's lack of exposed sessions to man-in-the-middle attacks, where intermediaries could alter commands or data, and to , enabling attackers to impersonate users mid-transfer. These security shortcomings prompted initial proposals for enhancements in the mid-1990s within the (IETF), leading to FTPS as a backward-compatible extension of FTP rather than a wholesale replacement. The concept crystallized in October 1997 with RFC 2228, which introduced optional security commands like AUTH for authentication negotiation and PROT for channel protection, addressing core vulnerabilities while preserving FTP's operational model. Subsequent RFCs, such as 4217, further refined these extensions for TLS integration.

Standardization Efforts

The standardization of FTPS began with the publication of 2228 in October 1997, which introduced FTP Security Extensions to address vulnerabilities in the original FTP protocol by enabling negotiation of security mechanisms, including the AUTH command for establishing TLS/SSL-protected sessions. This defined optional commands for strong , , and on both control and data channels, laying the foundational framework for secure FTP extensions. Building on these extensions, 4217 was published in October 2005 as the comprehensive specification for Securing FTP with TLS, detailing the mechanics for both explicit and implicit TLS modes to ensure secure and data transfer. This document formalized FTPS as an extension of FTP, incorporating TLS to protect against and tampering, and it referenced and expanded upon the security commands from 2228. 4217 built on the extensions from 2228 by providing a dedicated specification for TLS implementation. This was updated by 8996 in March 2021, which deprecated TLS versions 1.0 and 1.1. As of November 2025, no major revisions to these core FTPS specifications have occurred beyond the 2021 update to RFC 4217, with both RFC 2228 and RFC 4217 maintaining their status as Proposed Standards within the IETF standards track. The adoption of FTPS standards influenced implementations in the mid-, notably with version 2.0.0 released in June 2004, which introduced explicit TLS support, and subsequent versions adding implicit mode, thereby promoting widespread use of secure FTP in open-source environments. Similarly, integrated FTPS capabilities early in its development during the , supporting TLS-encrypted transfers and contributing to the protocol's acceptance in client software for secure file management. This software adoption helped establish FTPS as a for encrypted file transfers over FTP .

Protocol Fundamentals

Relationship to FTP

FTPS is an extension of the (FTP), as defined in RFC 959, which secures file transfers by integrating (TLS) while preserving the underlying protocol structure. It maintains FTP's client-server model, in which the client initiates a control connection to issue commands and a separate data connection for transferring files. The control connection defaults to port 21, and the data connection uses port 20 in active mode or dynamically assigned ports in passive mode, including support for the Extended Passive Mode (EPSV) command to facilitate firewall traversal. Core FTP commands, such as for , for submission, RETR for file retrieval, and STOR for file storage, are retained without alteration in FTPS, allowing seamless use of established operations. is achieved through extensions introduced in 2228, including the AUTH command to request TLS negotiation (with the '' ), the PROT command to define protection levels for channels (e.g., 'P' for private/encrypted or 'C' for clear/unencrypted), and the PBSZ command to configure the protection buffer size (typically set to 0 for TLS streaming mode). These additions enable of both and channels without disrupting FTP's syntactic foundation. In terms of compatibility, FTPS servers can revert to unsecured FTP operations by employing the PROT C command for plaintext data transfers or the CCC command to clear TLS protection on the control channel, thereby supporting interactions with legacy FTP clients. However, secure FTPS modes require clients to implement these extensions, rendering them incompatible with standard FTP clients that lack TLS support. For port configurations, explicit FTPS operates on the standard FTP control port 21, while implicit FTPS uses IANA-assigned port 990 for the control connection and port 989 for data in active mode, with passive mode following FTP conventions. The explicit mode is standardized in RFC 4217, whereas the implicit mode is a legacy implementation that predates the RFC and is not officially defined by the IETF but is widely supported. This design arose from FTP's inherent insecurities, such as the plaintext transmission of credentials, prompting the development of TLS-based protections.

Core Security Objectives

FTPS, or FTP Secure, primarily aims to address the inherent vulnerabilities of the original File Transfer Protocol (FTP) by integrating Transport Layer Security (TLS) to protect file transfers over insecure networks. Unlike plain FTP, which transmits commands, responses, and data in cleartext, exposing them to interception and eavesdropping, FTPS secures both the control and data channels without necessitating a complete protocol overhaul. This extension leverages FTP's existing command structure while layering cryptographic protections to mitigate common threats such as packet sniffing and man-in-the-middle attacks. A core security objective of FTPS is , achieved through TLS encryption of commands, responses, and file data to prevent unauthorized during transit. The protocol employs symmetric and asymmetric provided by TLS to ensure that sensitive information remains private, even over public networks. Additionally, FTPS emphasizes by utilizing TLS mechanisms, such as message authentication codes, to detect any tampering or alteration of , thereby verifying that files and commands arrive unaltered. These protections are integral to the TLS and ongoing session, as outlined in the FTPS specification. Authentication forms another fundamental goal, with FTPS requiring identity verification via digital certificates during the TLS negotiation, allowing clients to confirm they are communicating with a legitimate . Optional client certificates enable , further strengthening access controls beyond FTP's basic username-password mechanism. By implementing these objectives, FTPS provides robust protection against unauthorized access and data breaches. As of 2025, FTPS supports compliance with regulatory standards mandating secure data transmission, such as the Payment Card Industry Data Security Standard (PCI DSS) Requirement 4.1, which demands like TLS 1.2 or higher for protecting cardholder data during file transfers over open networks. Similarly, it aligns with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule under 45 CFR § 164.312(e)(1), which requires technical measures, including , to safeguard electronic in transit against unauthorized disclosure. These features make FTPS a preferred choice for industries handling sensitive financial or healthcare data.

Negotiation Methods

Explicit Mode

In explicit mode, the FTPS client establishes an initial unencrypted connection to the server's default port 21 using the standard FTP protocol. The client then issues the AUTH TLS command to request initiation of the TLS handshake, prompting the server to respond with a 234 reply code confirming that the security layer is ready to proceed. Once the TLS handshake completes, the control channel becomes encrypted, allowing subsequent commands, including user authentication via and , to be transmitted securely over this protected connection. Following authentication, the client typically sends the PBSZ command, often set to 0 to indicate no padding and enable streaming mode, after which the PROT command is used to specify the data channel protection level. The PROT P parameter establishes private protection, applying TLS encryption to data transfers, while alternatives like PROT C allow clear (unencrypted) transmission if desired. This negotiation enables flexible security configurations, such as confidential protection for sensitive sessions. Explicit offers significant advantages, including with legacy plain FTP clients that can connect without invoking , and the ability to dynamically negotiate levels based on client-server capabilities. It supports both active and passive data transfer s, maintaining compatibility with traditional FTP operations while optionally securing them. As an alternative to implicit , explicit provides greater in mixed environments.

Implicit Mode

Implicit FTPS mode establishes a secure by requiring the client to initiate a TLS-encrypted session immediately upon connecting to the server's designated port, without any preliminary negotiation commands. The client connects directly to port 990, where the server expects TLS to be active from the outset, triggering an immediate TLS to encrypt the control channel before any FTP commands are exchanged. This approach ensures that no communication occurs, providing end-to-end for the session from the connection's start. Unlike explicit mode, implicit mode is not defined in RFC 4217 but is a legacy implementation based on an earlier expired . Historically, implicit FTPS emerged as an early method to secure FTP transmissions before the of explicit . Once the TLS completes successfully, the entire FTPS session, including both and channels, operates under , with the level (PROT) command implicitly set to mode (PROT P) to safeguard transfers. This mandatory makes implicit mode less flexible than alternatives, as the rejects any non-TLS attempts to connect, enforcing strict without fallback options. Servers in implicit mode typically disable support for unencrypted connections on this , prioritizing in high-security environments. It gained traction in legacy systems and applications requiring uniform protection, though it has been somewhat deprecated in favor of more adaptable approaches due to its rigidity. This mode remains relevant in scenarios like enterprise networks or older infrastructure where mandatory TLS is enforced without client-side variability. In terms of port usage, the control connection defaults to port 990 for TLS-secured FTP, while data connections in active mode utilize port 989, as assigned by the Internet Assigned Numbers Authority (IANA). Clients must be explicitly configured to use these non-standard ports and enable TLS, as the implicit requirement is not backward-compatible with plain FTP clients. This setup demands prior knowledge of the server's security expectations, distinguishing it from explicit mode's use of the standard port 21.

TLS/SSL Mechanisms

Integration with FTP Sessions

In FTPS, TLS is integrated into the FTP's dual-channel architecture by upgrading the control channel through a TLS handshake, which secures subsequent commands and prepares for protected data transfers. In explicit mode, the process begins after the initial unencrypted TCP connection to port 21, where the client sends the AUTH TLS command to request TLS negotiation; upon server approval with reply code 234, the TLS handshake proceeds directly over the existing control connection, encapsulating all further FTP commands in encryption. In implicit mode, the client connects directly to port 990, triggering the TLS handshake immediately upon TCP establishment, thereby assuming full-session encryption without an initial AUTH command or plaintext negotiation phase. Session resumption enhances the efficiency of FTPS by allowing reuse of previously negotiated TLS parameters for multiple connections within the same FTP session, particularly beneficial for data channels that follow the control channel setup. This is achieved using TLS session IDs (in TLS 1.2 and earlier) or session tickets (in TLS 1.3), enabling abbreviated handshakes that avoid the computational overhead of full negotiations while maintaining security continuity between the control and data connections. As of 2025, FTPS implementations predominantly support TLS 1.2 and TLS 1.3 for session integration, with SSL protocols fully deprecated due to vulnerabilities; the TLS version and cipher suites are dynamically negotiated during the to ensure compatibility and security, as specified in the protocol extensions. Error handling seamlessly blends FTP reply codes with TLS outcomes, such as returning code 421 for a failed AUTH TLS in explicit signaling session closure, while data connection failures may yield code 522 to indicate negotiation failures.

Command Channel Security

In FTPS, the command channel, which handles FTP control commands and server responses, is secured through the integration of Transport Layer Security (TLS) following the initiation of a secure session. The process begins with the client issuing the AUTH TLS command to the server over the unsecured control connection, prompting a TLS handshake that establishes an encrypted tunnel for subsequent communications on the control channel. This handshake typically occurs on TCP port 21 in explicit mode or port 990 in implicit mode, ensuring that the initial negotiation transitions the channel to a protected state. Once the TLS session is established via AUTH TLS, all subsequent FTP commands—such as for username submission, for password authentication, and for directory listings—and the corresponding server replies are transmitted over the encrypted TLS connection, encompassing the full scope of control channel traffic. This encryption applies uniformly to the command channel after the security parameters are negotiated, protecting the and of these exchanges without altering the underlying FTP protocol semantics. This security on the command yields key benefits, including the prevention of credential exposure by encrypting sensitive commands like and during transmission, thereby mitigating risks of in transit. Additionally, the TLS-provided integrity checks guard against command injection attacks, where malicious alterations to commands or responses could compromise session control, ensuring that only authenticated and unaltered data is processed. The protections outlined are strictly limited to the control , with data channel security negotiated separately via the PROT command as required. The control channel encryption can be cleared using the command, reverting to for , though this is discouraged for reasons.

Data Channel Security

In FTPS, data channel security protects the content transferred during file operations, such as uploads and downloads, ensuring and separate from the command channel. In explicit mode, this security is activated after the client successfully negotiates the PROT command with the "P" parameter on the protected control , which enables private protection using TLS for both and data . The PROT command requires a prior PBSZ command with a size of 0, indicating that the security protocol handles buffering directly without additional FTP-level adjustments. Data connections are established using standard FTP mechanisms: the PORT command for active mode, where the server initiates the connection to a client-specified (typically starting from port 20 but adjustable), or the PASV command for passive mode, where the server listens on a dynamically assigned high-numbered and provides its to the client. In both modes, once the underlying connection is formed, a dedicated TLS secures the data , with the connection initiator serving as the TLS client and the other party as the TLS server. This process applies uniformly to active and passive transfers, encrypting the payload for commands like STOR (store) and RETR (retrieve) to prevent interception or modification of sensitive files. Each connection necessitates its own TLS negotiation, which incurs computational and latency overhead due to and certificate validation, particularly burdensome for applications involving numerous small transfers or parallel sessions. Servers may enforce or support TLS session resumption to reuse cryptographic parameters from the control channel or prior sessions, reducing this overhead without compromising . FTPS also permits the (Clear Command Channel) command to disable protection on the command channel after data is in place, allowing control commands for , though this exposes signaling to risks and is advised against in modern deployments. In implicit FTPS, data channel security operates without explicit PROT negotiation, as the entire session assumes TLS protection from connection initiation on the dedicated port (typically 990 for and 989 or a range for data), achieving similar for transfers in active or passive modes.

Certificate Management

In FTPS, certificates play a crucial role in the TLS , authenticating the to the client and establishing trust for encrypted sessions. These certificates, typically X.509v3 format, must include identification details such as the (FQDN) to enable proper validation, as recommended for TLS-based protocols. Servers can use self-signed certificates for internal or testing environments, though this requires clients to manually trust them, increasing vulnerability to man-in-the-middle attacks; alternatively, CA-issued certificates from providers like offer automated domain validation and broader trust without manual intervention. Client certificates provide optional , allowing the server to verify the client's identity during the TLS negotiation following the AUTH TLS or AUTH SSL command. This feature enhances in scenarios requiring bidirectional trust, such as transfers, but is not mandatory and depends on server configuration to request it. When enabled, the same client certificate should be used across and channels to maintain consistency. Effective management in FTPS involves regular renewal to prevent expiration, which can disrupt connections by failing the TLS handshake and triggering errors like 534 (policy denial due to invalid certificates) in implementations such as IIS. is handled through standard TLS mechanisms, including Certificate Revocation Lists (CRL) for batch checks or (OCSP) for real-time validation, ensuring compromised certificates are promptly untrusted without interrupting valid sessions. Best practices emphasize robust key strengths, such as keys of at least 2048 bits or ECDSA with NIST P-256 curves, to resist cryptographic attacks, aligning with federal guidelines for TLS deployments. Additionally, enabling (SNI) in the TLS extension supports on shared IP addresses, a standard capability in modern FTPS servers like as of 2025.

Optional Encryption Configurations

FTPS supports optional encryption configurations through the PROT command, which allows of levels for the data channel following . The defined levels include Clear (C), which provides no or , transmitting data in ; (S), which offers checks without ; (P), which enables full for both and ; and Confidential (E), which provides without . These levels permit administrators to tailor security based on context, though is the default for secure transfers in most implementations. The (Clear Command Channel) command further enables downgrading the control channel to unencrypted mode after initial TLS negotiation, typically used in explicit FTPS to facilitate with systems or firewalls that struggle with persistent . This command switches the channel back to , while the channel's remains governed by the prior PROT setting. Configurations allowing partial or no , such as PROT C or , are sometimes employed for client , to minimize CPU overhead in fully trusted internal networks, or during sessions where aids . However, these options introduce significant risks, including exposure of sensitive to , man-in-the-middle attacks, and unauthorized , as unencrypted channels lack against . best practices strongly discourage disabling on internet-facing FTPS servers, recommending enforcement of PROT P and avoidance of to maintain end-to-end . Implementation of these optional configurations occurs server-side, for example, in by setting ssl_enable=NO in the to disable TLS entirely, or by permitting PROT C responses during explicit mode sessions for selective downgrading. Explicit mode inherently provides this flexibility by starting in plaintext and upgrading only as negotiated, unlike implicit mode which assumes constant encryption.

Deployment Challenges

Firewall and NAT Compatibility

One of the primary challenges in deploying FTPS arises from its reliance on the underlying FTP protocol's dual-channel architecture, which complicates interactions with and (NAT) devices. In passive mode, invoked via the PASV or EPSV commands, the server listens for incoming data connections on dynamically assigned ephemeral ports, typically ranging from 1024 to 65535, rather than the fixed port 20 used in active mode for outgoing server-initiated connections. This dynamic port allocation requires administrators to configure rules allowing a broad range of high-numbered ports, often leading to security risks if not tightly controlled or to connectivity failures if the range is insufficiently permitted. NAT traversal exacerbates these issues, particularly with the command in active mode, where the client specifies its and port for the server to connect to; behind , the private IP sent in the command cannot be reached without rewriting, which standard NAT routers fail to perform automatically. In passive mode, the PASV response includes the server's and port, but if the server is behind , it may advertise its private IP, preventing the client from establishing the data connection unless manually overridden. FTPS's encryption of both control and data channels prevents firewalls from inspecting these commands to dynamically open ports or rewrite addresses, rendering traditional FTP Gateways (ALGs)—which parse unencrypted traffic for such adjustments—ineffective or limited in functionality. To mitigate these compatibility problems, administrators can restrict the passive port range on the FTPS server to a narrow, predefined set (e.g., 50000–51000) and correspondingly open only those ports in the , reducing the while ensuring reliable data transfers. The Extended Passive Mode (EPSV), defined in RFC 2428, improves compatibility by omitting the from the response—relying instead on the control channel's established IP—and supporting both IPv4 and , making it preferable for modern networks over the IPv4-limited PASV. Additional strategies include deploying dedicated FTPS proxies or application gateways that terminate and re-originate connections, bypassing direct inspection needs. In implicit FTPS mode, which secures the entire session from connection initiation on ports 990 (control) and typically 989 (data), these issues persist or worsen, as the lack of initial unencrypted negotiation hinders any potential ALG intervention, often necessitating even stricter port configurations. These persistent incompatibilities stem from FTP's original design in RFC 959 (1985), predating the widespread adoption of firewalls and in the mid-1990s, an architectural legacy that continues to challenge FTPS deployments as of despite ongoing protocol extensions.

Performance and Compatibility Issues

One significant performance challenge in FTPS deployments arises from the TLS handshakes required for securing both control and data channels. In explicit FTPS mode, the initial AUTH TLS command initiates a handshake on the control channel, while each subsequent data connection—often multiple per session in passive or active modes—triggers additional handshakes, adding latency typically ranging from 100 to 300 milliseconds per connection depending on network round-trip time, cipher suite, and TLS version (e.g., reduced in TLS 1.3 due to fewer round trips). This overhead is exacerbated in high-volume transfers, where frequent data connections for file listings or large batches can accumulate delays. Furthermore, the encryption process itself imposes higher CPU utilization, particularly for asymmetric cryptography during handshakes and symmetric /decryption of payloads, potentially bottlenecking throughput on resource-constrained servers during intensive operations. Compatibility issues further complicate FTPS adoption, as not all FTP clients and servers natively support TLS integration. For instance, the built-in Windows command-line ftp.exe tool lacks FTPS capabilities, requiring third-party clients like or for secure transfers on Windows systems. In contrast, macOS provides built-in FTPS support via Finder's "Connect to Server" feature using the ftps:// protocol, reducing the need for third-party clients, though advanced options like FileZilla or Transmit are available for additional features. This gap often forces organizations to deploy additional software, increasing maintenance overhead. Additionally, FTPS is frequently confused with (which uses SSH for security rather than TLS), leading to interoperability errors when partners expect one protocol but implement the other. As of 2025, FTPS usage is declining in favor of alternatives like and HTTPS-based transfers, which offer simpler traversal and broader ecosystem support. To mitigate these issues, administrators should deploy dedicated FTPS servers from reputable vendors, such as those supporting explicit mode with optional encryption commands like to balance security and performance. Cross-compatibility testing using tools like , which handles both explicit and implicit modes robustly, is recommended to verify client-server interactions before production rollout.

References

  1. [1]
    RFC 4217: Securing FTP with TLS
    **Summary of RFC 4217 - Securing FTP with TLS**
  2. [2]
    FTPS - Obsolescent Secure File Transfer Protocol (FTP)
    FTPS combines FTP with SSL/TLS for security, but is now largely obsolete, replaced by SFTP, and has no good application.
  3. [3]
    [MS-FTPS]: Overview - Microsoft Learn
    Apr 23, 2024 · The FTP protocol uses a dynamic range of ports for data connections. Firewalls implement packet filters that can parse the port information ...
  4. [4]
    Support for FTPS protocol - IBM
    FTPS is FTP using SSL/TLS for security, protecting data integrity. It has implicit and explicit connection modes, and uses SSL v3.0 and TLS v1.0.<|separator|>
  5. [5]
    RFC 114: File Transfer Protocol
    This paper is a "first cut" at a protocol that will allow users at any host on the network to use the file system of every cooperating host.Missing: Abhay | Show results with:Abhay
  6. [6]
    Abhay Bhushan - Internet Hall of Fame
    In 1971, he defined the ARPANET's method of performing what has become one of the Internet's most essential functions, the transfer of data. The document which ...
  7. [7]
    RFC 959: File Transfer Protocol
    The primary function of FTP defined as transfering files efficiently and reliably among hosts and allowing the convenient use of remote file storage ...
  8. [8]
    FTP Server – Beware of Security Risks
    Since FTP is unencrypted, man-in-the-middle attacks can and have been used to inject malware into software downloaded using FTP. Contents. Secure Alternative ...Missing: eavesdropping | Show results with:eavesdropping
  9. [9]
    RFC 2228 - FTP Security Extensions - IETF Datatracker
    Mar 2, 2013 · These extensions provide strong authentication, integrity, and confidentiality on both the control and data channels with the introduction of new optional ...Missing: early | Show results with:early
  10. [10]
    RFC 2228: FTP Security Extensions
    These extensions provide strong authentication, integrity, and confidentiality on both the control and data channels with the introduction of new optional ...
  11. [11]
    RFC 4217: Securing FTP with TLS
    This document describes a mechanism that can be used by FTP clients and servers to implement security and authentication using the TLS protocol.
  12. [12]
    RFC compliance - pyftpdlib documentation
    RFC-2228 - FTP Security Extensions . Specifies several security extensions to the base FTP protocol defined in RFC-959. New commands: AUTH, ADAT, PROT, PBSZ ...
  13. [13]
    Information on RFC 2228 - » RFC Editor
    This document defines extensions to the FTP specification STD 9, RFC. For the definition of Status, see RFC 2026. For the definition of Stream, see RFC 8729.
  14. [14]
    Information on RFC 4217 - » RFC Editor
    This document describes a mechanism that can be used by FTP clients and servers to implement security and authentication using the TLS protocol.
  15. [15]
    Software Evolution Repository @ UCR
    Download. Click on a program to go directly to its download link and release dates: ... vsftpd-2.0.0.c 06/29/04; vsftpd-2.0.1.c 07/02/04; vsftpd-2.0.2pre1.c 07/05 ...
  16. [16]
    FileZilla - The free FTP solution
    The FileZilla Client not only supports FTP, but also FTP over TLS (FTPS) and SFTP. It is open source software distributed free of charge under the terms of the ...Version history · Download FileZilla Client · Download FileZilla Server · Support
  17. [17]
    RFC 959 - File Transfer Protocol - IETF Datatracker
    The primary function of FTP defined as transfering files efficiently and reliably among hosts and allowing the convenient use of remote file storage ...
  18. [18]
    RFC 2228 - FTP Security Extensions - IETF Datatracker
    These extensions provide strong authentication, integrity, and confidentiality on both the control and data channels with the introduction of new optional ...
  19. [19]
    https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
  20. [20]
    https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss
  21. [21]
    45 CFR 164.312 -- Technical safeguards. - eCFR
    (1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that ...
  22. [22]
    What is FTPS? - EnterpriseDT
    Typically, the implicit FTPS protocol uses port 990 rather than the standard FTP port 21. Explicit FTPS fixed this by requiring the AUTH command to be sent by ...
  23. [23]
    Implicit FTPS and Explicit FTPS - edtFTPnet/PRO - EnterpriseDT
    Before the FTPS Internet Draft was published a somewhat abortive attempt at offering a secure version of FTP was made. This is now referred to as implicit FTPS.
  24. [24]
    SSL support - IBM
    The Internet Assigned Numbers Authority (IANA) officially designates port 990 as the FTPS control channel port and port 989 as the FTPS data channel port.<|control11|><|separator|>
  25. [25]
    TLS/SSL core - Rebex FTP - Rebex.NET
    Supported versions: TLS 1.3 (not available on .NET Compact Framework); TLS 1.2; TLS 1.1; TLS 1.0; SSL 3.0. Note: TLS ...<|separator|>
  26. [26]
    Common File Transfer Error Codes in FTP, FTPS & SFTP - Pro2col
    What are the most Common FTP and FTPS Error Codes? ; 534. SSL not allowed. This return code signifies that the server requires SSL/TLS for secure communication.
  27. [27]
    https://datatracker.ietf.org/doc/html/rfc4217#section-3
  28. [28]
    https://datatracker.ietf.org/doc/html/rfc4217#section-4.2
  29. [29]
    https://datatracker.ietf.org/doc/html/rfc4217#section-5
  30. [30]
    https://datatracker.ietf.org/doc/html/rfc4217#section-15.2.3
  31. [31]
    https://datatracker.ietf.org/doc/html/rfc4217#section-15.2.4
  32. [32]
    https://datatracker.ietf.org/doc/html/rfc4217#section-9
  33. [33]
    https://datatracker.ietf.org/doc/html/rfc4217#section-6
  34. [34]
    https://datatracker.ietf.org/doc/html/rfc4217#section-4
  35. [35]
    https://datatracker.ietf.org/doc/html/rfc4217#section-5.1
  36. [36]
    https://datatracker.ietf.org/doc/html/rfc4217#section-5.2
  37. [37]
    https://datatracker.ietf.org/doc/html/rfc4217#section-11
  38. [38]
    https://datatracker.ietf.org/doc/html/rfc4217#section-5.3
  39. [39]
    https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ftps/ae1c1884-832f-4613-8816-d0cc0032ac43
  40. [40]
    Control Connection Negotiation with Implicit FTPS | Microsoft Learn
    Apr 23, 2024 · When a client connects to the TCP port dedicated for Implicit FTPS, the server MUST NOT send the connection greeting message immediately.
  41. [41]
    FTP Client Certificate Authentication <clientCertAuthentication>
    Mar 22, 2022 · This form of Secure Sockets Layer (SSL) authentication was introduced in FTP 7 and uses client certificates to authenticate FTP clients by mapping to client ...Overview · CompatibilityMissing: mutual | Show results with:mutual
  42. [42]
    SP 800-52 Rev. 2, Guidelines for the Selection, Configuration, and ...
    Aug 29, 2019 · This Special Publication provides guidance to the selection and configuration of TLS protocol implementations while making effective use of Federal Information ...
  43. [43]
    https://security.stackexchange.com/questions/115561/does-ftps-ftp-over-ssl-using-explicit-tls-support-encryption-of-data-channel
  44. [44]
    Does FTPs (FTP over SSL using explicit TLS) support encryption of ...
    Feb 24, 2016 · I am exploring the ability of the FTPs(FTP over SSL using explicit TLS) to encrypt the data channel. I read online that the secure data channel can be entered ...
  45. [45]
    Is FTP Secure? How you can mitigate the risks of using File Transfer ...
    Jun 26, 2023 · FTP is not secure due to its plain text nature, making it vulnerable to packet capture, brute force attacks, and lacks safety features.
  46. [46]
    Encrypt Data in Transit - Essential Guide to Election Security
    Apr 4, 2023 · Use encrypted data transfer protocols for all sensitive data. Use HTTPS, not HTTP. Use FTPS, SFTP, SCP, or WebDAV over HTTPS, not FTP or RCP.
  47. [47]
    How to configure vsftpd with SSL/TLS on Red Hat Enterprise Linux
    Apr 9, 2025 · Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf , append ... disable SSL for anonymous connections and force SSL for data transfers and ...
  48. [48]
    How to FTP through a firewall - EnterpriseDT
    Dec 6, 2019 · Firewalls present challenges for users of FTP and (particularly) FTPS. The root cause of the problem is that a single session using these ...<|separator|>
  49. [49]
    Setting Up An FTPS Server Behind A Firewall or NAT For PASV ...
    When setting up an FTPS server behind a firewall for PASV mode transfers, specify an external passive IP and a port range in the server settings.Missing: compatibility | Show results with:compatibility
  50. [50]
    Understanding FTPS and Firewall Compatibility Issues.
    Jan 11, 2024 · Simply put, FTPS (FTP Secure) and firewalls, especially those performing Network Address Translation (NAT), may not always work seamlessly together.Missing: traversal | Show results with:traversal
  51. [51]
    RFC 2428 - FTP Extensions for IPv6 and NATs - IETF Datatracker
    RFC 2428 specifies FTP extensions to work over IPv4 and IPv6, replacing PORT/PASV with EPRT/EPSV, and enabling communication for other network protocols.
  52. [52]
    Networking 101: Transport Layer Security (TLS)
    The extra latency and computational costs of the full TLS handshake impose a serious performance penalty on all applications that require secure communication.Missing: FTPS | Show results with:FTPS
  53. [53]
    TLS 1.2 vs. 1.3—Handshake, Performance, and Other Improvements
    TLS 1.3 combines the initial handshake and the negotiation of cryptographic parameters into one round trip. This effectively reduces the handshake time by half.Tls 1.2 · Tls 1.3 Adoption · Handshake ProcessMissing: FTPS | Show results with:FTPS
  54. [54]
    How To Properly Protect Data With FTPS - Progress Software
    Jul 10, 2017 · FTPS helps to encrypt and transfer private information within the constraints of regulatory requirements.<|control11|><|separator|>
  55. [55]
    Understanding FTP, FTPS, SFTP, and TFTP - Exam-Labs
    The cryptographic operations underpinning FTPS's security introduce processing overhead that can affect transfer speeds. Encryption and decryption consume ...The Advent Of Ftps: Securing... · Security Implications Across... · Best Practices For Ftps...
  56. [56]
    FTP over SSL <ssl> - Microsoft Learn
    Mar 16, 2022 · When you are using FTP 7, you are using Implicit SSL if you enable FTPS and you assign the FTP site to port 990. Depending on the security ...
  57. [57]
    WinSCP :: Official Site :: Free SFTP and FTP client for Windows
    WinSCP is a popular SFTP client and FTP client for Microsoft Windows! Copy file between a local computer and remote servers using FTP, FTPS, SCP, SFTP, WebDAV ...Download · Free SFTP Client for Windows · Free FTP Client for Windows · News
  58. [58]
    SFTP vs. FTPS: Which file transfer software is best for business use?
    Like SFTP, FTPS also supports mutual authentication. This can be implemented using SSL/TLS digital certificates. You can also combine password-based ...
  59. [59]
    SFTP vs FTPS: Choosing the Right Protocol for Secure EDI ... - ECGrid
    We see this in the high adoption rates within the retail sector, for example, where 67% of businesses prefer SFTP. Conversely, FTPS's inherent flexibility and ...Missing: trends | Show results with:trends
  60. [60]
    FTPS or SFTP: Which Offers Faster File Transfers? | Aayu Blog
    Aug 1, 2025 · Between the two protocols, FTPS is generally considered faster in terms of transfer speed. This is primarily because SFTP transmits control, ...
  61. [61]
    Support for IPv6 - Cerberus FTP Server
    Cerberus FTP Server fully supports both IPv6 and IPv4 with FTP, FTPS, SFTP, and the HTTP/S web transfer client. We also implement RFC 2428 (“FTP Extensions ...
  62. [62]
    IPv6 Support for FTP, FTPS, SFTP and HTTP/S - Serv-U - SolarWinds
    Serv-U supports FTP, FTPS, SFTP, web and mobile transfers (HTTP/S) using both IPv6 and IPv4. Future-proof your business and avoid IPv4 address exhaustion.<|separator|>
  63. [63]
    Best practices and recommendations for the FTP Adapter
    Feb 1, 2021 · We recommend that you use the following guidelines for securing and deploying the FTP adapter in your environment: Secure your server and limit ...
  64. [64]
    Beware: macOS Finder "Connect to Server" accepts FTPS URLs (FTP in a SSL/TLS tunnel)
    Discussion confirming that macOS Finder accepts and supports FTPS connections via ftps:// protocol in the Connect to Server dialog.
  65. [65]
    6 Best FTP Clients for Mac and Windows Users (2025)
    Article listing top FTP clients for Mac, including Transmit as a recommended option that supports FTPS among other protocols.