Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This document provides the following extensions to the File Transfer Protocol over TLS [RFC4217]:
- Implicit FTPS support
- AUTH SSL message support
The primary purpose of these extensions is to accommodate legacy FTP client and firewall behaviors.
The FTP protocol uses a dynamic range of ports for data connections. Firewalls implement packet filters that can parse the port information from the FTP traffic and temporarily open those ports. If FTPS [RFC4217] is used, then a number of legacy firewall packet filters can be confused by the mixture of encrypted and unencrypted traffic and might disconnect FTP connections. Implicit FTPS support that uses dedicated port 990 (assigned by IANA) helps with firewall issues by keeping encrypted and unencrypted traffic on separate ports. Additional configuration is needed on the firewall to allow data connections over FTPS but that discussion is outside the scope of this document.
Implicit FTPS support is an extension to the FTPS protocol [RFC4217], and was originally documented in a draft that has expired (see [EXPIRED-FTP-DRAFT]). A client connects to Implicit FTPS over port 990. The server will delay sending the connection welcome greeting until the TLS session is negotiated. The server assumes that the client has sent an AUTH TLS message immediately after the TCP connection was established. The client assumes that the server sent a positive reply to the implicit AUTH TLS message. The actual TLS session negotiation takes place as specified in [RFC4217]. Once the TLS session has been negotiated, the server assumes that the client sent PROT P and PBSZ 0 messages and sets the FTP session's state accordingly. These implicit commands will force the default mode for the FTP data channel to be protected. The client can later reset the protection level on the data channel by sending the PROT C message as specified in[RFC4217].
AUTH SSL message support allows legacy clients that are not TLS-aware to work with FTPS. The TLS protocol [RFC2246] is backward compatible with the SSL protocol. The server will accept both AUTH SSL and AUTH TLS messages interchangeably. If an AUTH SSL message is sent by a client, the server will treat it as if an AUTH TLS message was received.