Explicit Versus Implicit SSL

Secure Socket Layer (SSL) was originally created for secure Web browsing. When both a client and server support the AUTH SSL command, security is accomplished through a sequence of commands passed between the two computers. The FTP protocol definition provides at least two distinct mechanisms by which this sequence is initiated: explicit (active) and implicit (passive) security.

Explicit Security: To establish the SSL link, explicit security requires that the FTP client issue a specific command to the FTP server after establishing a connection. The default FTP server port is used. This formal method is documented in RFC 2228.

Implicit Security: Implicit security automatically begins with an SSL connection as soon as the FTP client connects to an FTP server. In implicit security, the FTP server defines a specific port for the client (990) to be used for secure connections.

Implicit SSL is discussed in various SSL drafts, but is not formally adopted in an RFC. For strict compliance to standards, use the explicit method.

Because implicit SSL has a dedicated port strictly used for secure connections, implicit SSL connections require less overhead when you establish the session. There are various FTP servers that support this mode, including EFT, RaidenFTPD, IBackup’s FTP server, and others.

Think of implicit security as "always on" and explicit security as "turn on." The following diagram contrasts implicit and explicit SSL connections.