FTPS

From Wikipedia, the free encyclopedia

FTPS (commonly referred to as FTP/SSL) is a name used to encompass a number of ways in which FTP software can perform secure file transfers. Each way involves the use of a SSL/TLS layer below the standard FTP protocol to encrypt the control and/or data channels. It should not be confused with either SSH file transfer protocol (SFTP), or FTP over SSH (no acronym).

The most common uses of FTP and SSL are:

• AUTH TLS, Explicit FTPS or FTPES, named for the command issued to indicate that TLS security should be used. This is the preferred method according to RFC 4217. The client connects to the server port 21 and starts an unencrypted FTP session as normal, but requests that TLS security be used and performs the appropriate handshake before sending any sensitive data.

• AUTH as defined in RFC 2228.

• Implicit FTPS is an older, but still widely implemented style in which the client connects to a different port (usually 990), and an SSL handshake is performed before any FTP commands are sent.

[edit] SSL Certificates

Much like https, but unlike SFTP, FTPS servers must provide a public key certificate. These certificates can be created using Unix tools such as OpenSSL's ssl-ca.

This certificate must be signed by a certificate authority, or the FTPS client will generate a warning stating that the certificate is not valid.

[edit] Data channels

Data can be encrypted in the command channel, the data channel, or most often both. If the command channel is not encrypted, the protocol is said to be using a clear command channel (CCC). If the data channel is not encrypted, the protocol is said to be using a clear data channel (CDC).

[edit] The firewall problem

Because FTP is a port-hopping protocol (i.e. data channels use a random port chosen during the communication), many firewalls have the ability to understand the FTP protocol and allow the secondary data connections. However if the control connection is encrypted using TLS/SSL (or any other method for that matter) the firewall is not able to get the port numbers of the data connections from the control connection (since it is encrypted and the firewall cannot decrypt it). Therefore in many firewalled networks clear FTP connections will work while FTPS connections will either completely fail or require the use of passive mode.

[edit] See also

Cryptography Portal

• List of file transfer protocols
• Comparison of FTP client software
• List of FTP server software
• Secure copy (SCP)
• SSH file transfer protocol (SFTP)
• FTP (contains a section "FTP over SSH")

[edit] External links

• RFC 4217 - Securing FTP with TLS
• Overview of FTPS, and lists of clients, servers, and proxies supporting FTPS

This Internet-related article is a stub. You can help Wikipedia by expanding it.