FTP over SSL (ftps) – Explicit SSL vs. Implicit SSL
FTP over SSL (ftps) – Explicit SSL vs. Implicit SSL / Active mode vs Passive mode
Explicit SSL:
ACTIVE MODE:
– A connection to the server is made on TCP/21 (ftp-control channel)
– A connection to the server is made on TCP-20 (ftp-data).
The connection starts using plain text until such time as the the client issues an authentication command, resulting in certificate verification and an SSL connection being negotiated. In active mode, the ftps client initiates a ‘control session’ to port 21 of server (outbound from client) and the server initiates data session back (sourced from TCP/20) towards the client.
PASSIVE MODE:
In passive mode, the ftps client initiates both control (TCP/21) and data sessions. The port range is specified during the server/client negotiation) to the server (both are outbound from client).
Implicit SSL:
The server to specifies a different port dedicated to the SSL communications.
ACTIVE MODE:
– A connection is made to TCP/990 (ftp-control channel),
– A connection is made to TCP-989 (ftp-data).
Any connections made to port TCP/990 requires the immediate negotiation of certificates and SSL, thereby avoiding any communication in plain text. In active mode the ftps client initiates a ‘control session’ to port 990 of the server (outbound from client), but server initiates the ‘data session’ back (sourcing from tcp port 989) towards the client (inbound to client).
PASSIVE MODE:
In passive mode, client initiates both control (tcp-990) and data sessions (port range specified by server/client negotiation) to the server (both are outbound from client).
TRAFFIC FLOWS
Explicit SSL with active FTP (The client initiates control session but server initiates data session to client):
ftp-ssl-control: (outbound from client)
FTPS client src port (> 1024) ==> FTPS server dst port 21
ftp-ssl-data: (inbound from server)
FTPS server src port (port 20) ==> FTPS client dst port (the port range is specified during the server/client negotiation)
Explicit SSL with passive FTP: (The client initiates both control and data sessions)
ftp-ssl-control: (outbound from client)
FTPS client src port (> 1024) ==> FTPS server dst port 21 (request)
ftp-ssl-data: (outbound from client)
FTPS client src port (range specified by server/client negotiation) ==> FTPS server dst port (the port range is specified during the server/client negotiation)
Implicit SSL with active FTP (The client initiates control session and the server initiates data session to client)
ftp-ssl-control: (outbound from client)
FTPS client src port (> 1024) ==> FTPS server dst port 990.
ftp-ssl-data: (inbound from server)
FTPS server src port (port 989) ==> FTPS client dst port (range specified by server/client negotiation)
Implicit SSL with passive FTP (The client initiates both control and data sessions)
ftp-ssl-control: (outbound from client)
FTPS client src port (greater than 1024) ==> FTPS server dst port 990.
ftp-ssl-data: (outbound from client)
FTPS client src port (range specified by server/client negotiation) ==> FTPS server destination port (the port range is specified during the server/client negotiation)
