FTPS

FTPS is FTP secure by TLS. It negotiates fully secured TLS connections whereplain FTP uses clear text unsafe connections.

There are two ways to do FTPS with curl. Theimplicit way and theexplicitway. (These terms originate from the FTPS RFC). Usually the server you workwith dictates which of these methods you can and shall use against it.

Implicit FTPS

Theimplicit way is when you useftps:// in your URL. This makes curlconnect to the host and do a TLS handshake immediately, without doing anythingin the clear. If no port number is specified in the URL, curl uses port 990for this. This is usually not how FTPS is done.

Explicit FTPS

Theexplicit way of doing FTPS is to keep using anftp:// URL, butinstruct curl to upgrade the connection into a secure one using theAUTH TLSFTP command.

You can tell curl to eitherattempt an upgrade and continue as usual if theupgrade fails with--ssl, or you can force curl to either upgrade or failthe whole thing hard if the upgrade fails by using--ssl-reqd. We stronglyrecommend using the latter, so that you can be sure that a secure transfer isdone - if any.

Common FTPS problems

The single most common problem with FTPS comes from the fact that the FTPprotocol (that FTPS transfers lean on) uses a separate connection setup forthe data transfer. This connection is done to another port and when FTP isdone over clear text (non-FTPS), firewalls and network inspectors etc canfigure out that this is FTP in progress and they can adapt things and rulesfor the new connection.

When the FTP control channel is encrypted with TLS, firewalls cannot see whatis going on and no outsider can dynamically adapt network rules or permissionbased on this.