What is the difference between Implicit SSL and Explicit SSL?

FTP over SSL (Explicit)
Explicit security requires that the FTP client issues a specific command to the FTP server after establishing a connection to establish the SSL link. In explicit SSL (or in TLS) the FTP client needs to send an explicit command ( i.e. "AUTH SSL" or "AUTH TLS") to FTP server to initiate a secure control connection. The default FTP server port is used. This formal method is documented in RFC 2228.

FTP over SSL (Implicit)
Implicit security is a mechanism by which security is automatically turned on as soon as the FTP client makes a connection to an FTP server. In this case, the FTP server defines a specific port for the client (990) to be used for secure connections.

FTP over SSL (ftps) - Explicit SSL vs. Implicit SSL / Active mode vs Passive mode:

Shunichi Mikame (smikame@ipv4sec.com) - 09/11/2004

======================================================================================


My understanding about traffic flow of 'ftp over ssl' (ftps) is below.



Explicit SSL operates such that a connection to the server is made on the normal service port (TCP-21 for ftp-control channel, TCP-20 for ftp-data in active ftp mode). Communication initially starts in plain text until the client issues an authentication command, which then leads to certificate verification and a secure SSL connection being negotiated. In active mode, ftps client initiates 'control session' to port 21 of server (outbound from client), but server initiates data session back (sourcing from tcp port 20) to client (inbound to client). In passive mode, client initiates both control (tcp-21) and data sessions (port range specified by server/client negotiation) to the server (both are outbound from client).



Implicit SSL allows the server to specify a different port dedicated to SSL communication (TCP-990 for ftp-control channel, TCP-989 for ftp-data in active ftp mode). Any connections made to this port require immediate negotiation of certificates and SSL, avoiding any communication in plain text whatsoever. In active mode, ftps client initiates 'control session' to port 990 of server (outbound from client), but server initiates 'data session' back (sourcing from tcp port 989) to client (inbound to client). In passive mode, client initiates both control (tcp-990) and data sessions (port range specified by server/client negotiation) to the server (both are outbound from client).



Below are traffic flow examples with my understanding:



Explicit SSL with active FTP





ftp-ssl-control: (outbound from client)

FTPS client src port (greater than 1024) ==> FTPS server dst port 21



ftp-ssl-data: (inbound from server)

FTPS server src port (port 20) ==> FTPS client dst port (range specified by server/client negotiation)





Explicit SSL with passive FTP





ftp-ssl-control: (outbound from client)

FTPS client src port (greater than 1024) ==> FTPS server dst port 21 (request)



ftp-ssl-data: (outbound from client)

FTPS client src port (range specified by server/client negotiation) ==> FTPS server dst port (range specified by

server/client negotiation).





Implicit SSL with active FTP





ftp-ssl-control: (outbound from client)

FTPS client src port (greater than 1024) ==> FTPS server dst port 990.



ftp-ssl-data: (inbound from server)

FTPS server src port (port 989) ==> FTPS client dst port (range specified by server/client negotiation)





Implicit SSL with passive FTP





ftp-ssl-control: (outbound from client)

FTPS client src port (greater than 1024) ==> FTPS server dst port 990.



ftp-ssl-data: (outbound from client)

FTPS client src port (range specified by server/client negotiation) ==> FTPS server dst port (range specified by server/client

negotiation).





End of document:

======================================================================================