Explicit Versus Implicit FTP - SSL

Resolving The Problem

The FTP protocol definition provides at least two distinct mechanisms by which this sequence is initiated: explicit (active) and implicit (passive) security.

Explicit Security: In order to establish the SSL link, explicit security requires that the FTP client issue a specific command to the FTP server after establishing a connection. The default FTP server port is used. This formal method is documented in RFC 2228.

Implicit Security: Implicit security automatically begins with an SSL connection as soon as the FTP client connects to an FTP server. In implicit security, the FTP server defines a specific port for the client (990) to be used for secure connections.

Because implicit SSL has a dedicated port strictly used for secure connections, implicit SSL connections require less overhead when you establish the session. There are various FTP servers that support this mode, including GlobalSCAPE Secure FTP Server, RaidenFTPD, IBackup’s FTP server, and others.

You can think of implicit security as always on and explicit security as turn on. The following diagram contrasts implicit and explicit SSL connections: