FTP over SSL

FederThe U.S. National Institute of Standards and Technology (NIST) has established the Federal Information Processing Standards (FIPS) publications 140-3 (the cFile transfer protocol (FTP) file transfer moves dataFTP over SSL, also known as FTP secure or FTPS, adds transport layer security (TLS) or the legacy SSL to the functions of classic FTP. Doing so allows command channel communications operating on port 21 to travel in cipher, while returned data is also encrypted. FTPS also allows the use of server certificates to prove a host’s identity to every client, and it can include client certificates for mutual trust. 

FTPS preserves compatibility with legacy systems while raising security to modern levels. 

FTPS encryption

Encryption in FTPS relies on TLS to encrypt files and credentials in transit. TLS secures these communications by negotiating a cipher and hash function between the client and server, then requiring a server, and optionally, a client certificate to verify the identity of the trading partners. 

This encryption can be enhanced by using strong cipher suites, tight key rotation and strict protocol settings, as well as:

• Choosing AES-256-GCM for encryption
• Disabling deprecated ciphers like RC4 and 3DES
• Enforcing TLS 1.2 or 1.3 to block downgrade attacks
• Using ECDHE key exchange to create forward secrecy
• Using SHA-256 or stronger hashes to guard against tampering

These careful policy tuning tips can help your organization deliver safer file transfers without hurting throughput.

Implicit vs. explicit FTPS

FTPS supports two security negotiation methods: explicit and implicit. Both provide identical data encryption strength but differ in how they initiate a session. Explicit FTPS, also known as upgrade mode for FTPES, begins as plain FTP in order to accept an incoming connection, then upgrades to an encrypted session once a connection has been established. Implicit FTPS, commonly referred to as always-on mode, starts encrypted from the first packet and will not accept an unencrypted connection request. The chosen FTPS method may affect firewall rules and network compatibility, depending on connection requests and security capabilities

 Some key differences between the two methods are:

Explicit mode:

• Firewalls must detect the session switch to TLS, or the transfer will be blocked
• Preserves existing scripts and command syntax on port 21
• Logs the security upgrade action, which gives auditors a clear encryption start time

Implicit mode:

• Must often be manually enabled 
• Prevents credential exposure because TLS starts with the first packet
• Uses a dedicated listener on port 990, which simplifies firewall rules

FTPS authentication

FTPS pairs certificate validation with account credentials to control file server access. Once the TLS tunnel forms, all identity checks occur inside the encrypted session to protect sensitive data from interception while offering several integration paths.

The steps in this process are:

• The server presents a signed certificate during the handshake
• Servers may request a client certificate for two-way trust (known as mutual mode)
• User credentials can then be supplied and verified against a directory, such as LDAP or Active Directory, that binds centralized password management

Improving FTPS security

FTPS inherits FTP’s separate control and data channels, so security measures must cover both paths as well as the server host itself. 

To enhance security with FTPS:

• Close unused passive port ranges to minimize your attack surface
• Patch the FTPS software and operating systems on a fixed schedule
• Rotate certificates before their expiration dates
• Run antivirus scans on incoming files before releasing them
• Segregate service accounts with the least privileged rights

These controls keep FTPS services resilient against common exploits.

FTPS alternatives

Organizations that need encrypted file movement may prefer a different protocol if firewall design, client support or compliance requirements make FTPS less convenient. 

Some secure alternatives include:

• AS2: Signs and encrypts EDI payloads for B2B use
• HTTPS: Uses port 443 and supports browser-based file activity
• MFT over API gateways: Uses token-based authentication and REST calls
• SCP: Offers quick ad hoc pushes over SSH without restart logic
• SFTP: Runs over an SSH port, which simplifies rule sets and provides more flexible encryption options

Selecting the best method for your organization hinges on its required automation, audit depth and network policies.

FTPS firewall considerations

FTPS uses separate control and data streams which must be accommodated by your firewall setup. Explicit sessions begin on port 21 by default, while implicit sessions start on port 990. 

To configure your firewall for an FTPS connection: 

• Allow control port 21 for explicit mode and port 990 for implicit mode
• Drop connections that fail the TLS handshake and log attempts
• Inspect control channel commands before opening data ports 
• Map external to internal addresses with persistent NAT helpers
• Open and restrict the passive port range that’s used by the FTPS server

Firewalls must track the control channel to open matching data ports and log the TLS handshake. Narrow passive ranges and consistent NAT mappings simplify rule sets while still supporting both encryption modes.

You can set these rigorous rules to maintain performance without exposing extra surface in your organization’s file transfer processes.

FTP over SSL FAQs