FTP Implicit and Explicit modes determine exactly when and how SSL/TLS encryption is applied to an FTP session. Implicit mode connects to the server and immediately performs the SSL handshake with no unencrypted commands exchanged, typically on port 990. Explicit mode first opens a standard unencrypted FTP session on port 21, then sends the AUTH SSL command to request encryption. The server replies and the handshake follows. In both cases the data connection used for actual file transfers is always encrypted. Implicit mode is deprecated; Explicit remains the current standard.

Choosing the correct mode prevents connection failures, credential exposure, and firewall problems. Implicit was created to simplify client code but creates incompatibilities with NAT, proxies, and security devices that expect to see the initial FTP banner. Explicit offers negotiation flexibility on the well-known FTP port. Correct configuration is a basic requirement for any secure file exchange with a hosting server.

#Prerequisites

Before using either mode you need an FTP client capable of FTPS (most modern clients qualify), a hosting account with FTP access enabled, and valid username and password credentials. The client must be configured for passive mode in nearly all production environments because active mode conflicts with customer-side firewalls and NAT. Verify that your local network permits outbound traffic on the chosen control port and the dynamic ports used for data. Test connectivity with a simple directory listing before moving files.

#How Implicit FTP Mode Works

In Implicit mode the client opens a TCP socket to the server on port 990 and immediately begins SSL/TLS negotiation. The server is expected to present its certificate and complete the handshake before any FTP protocol commands are sent. Because the entire control channel is encrypted from the first packet, there is no plaintext banner or command visible on the wire. This design removes the need for an explicit security command but prevents the server from supporting plain FTP clients on the same listener. The lack of negotiation also means intermediate devices cannot inspect or route the traffic intelligently, which is why Implicit FTP has been deprecated by standards bodies and modern server implementations.

#How Explicit FTP Mode Works

Explicit mode begins with a conventional FTP connection to port 21. The server sends its standard 220 banner in plaintext. The client then issues the AUTH SSL or AUTH TLS command. Upon receiving a positive 234 reply the client and server perform the SSL/TLS handshake, after which all subsequent control traffic is encrypted. This two-phase approach lets a single port serve both secure and non-secure clients when the server administrator permits it. It also works more reliably through firewalls that expect to see the initial FTP handshake before allowing further traffic.

#Typical Explicit Command Sequence

Server: 220 FTP Server Ready
Client: AUTH SSL
Server: 234 AUTH command OK. Initializing SSL connection.
[SSL/TLS handshake occurs here]
Server: 200 Command OK
Client: USER username
Server: 331 Password required
Client: PASS ********

#Key Differences

  • Port: Implicit normally uses 990; Explicit uses the standard 21.
  • Encryption timing: Implicit starts encrypted with no plaintext at all; Explicit begins unencrypted and upgrades after the AUTH command.
  • Negotiation: Implicit has none; Explicit uses an explicit AUTH SSL or AUTH TLS command.
  • Compatibility: Explicit works with standard firewall and proxy configurations; Implicit frequently encounters blocks.
  • Deprecation: Implicit is deprecated; Explicit is the current preferred method.

#Data Connection Encryption

No matter which mode is chosen, the data connection that carries directory listings and the actual file contents is always encrypted once the control channel security is established. The client and server negotiate a separate data channel using either active or passive mode, and that channel is protected by the same SSL/TLS session parameters. This guarantees that files cannot be intercepted or altered in transit.

#Common Pitfalls

  • Connecting to port 21 while set to Implicit mode, or port 990 while set to Explicit, produces immediate connection refusals or timeouts.
  • Corporate or cloud firewalls that block non-standard ports often silently drop Implicit traffic on 990.
  • Older FTP clients may implement only one of the two modes or support weak cipher suites that modern servers reject.
  • Forgetting to enable passive mode when behind NAT results in data channel failures even if the control channel succeeds.

#Recommendation and Practical Takeaway

We recommend that all customers use Explicit FTP with port 21. This is the standard and preferred method for FTP security. If your FTP client supports it (such as FileZilla or WinSCP), you may want to consider using SFTP (SSH File Transfer Protocol) with port 22. Configure the client for Explicit TLS, enable passive mode, and verify the connection with a test upload. Check the session log to confirm that encryption is active before moving production data. For step-by-step client configuration examples, review the FTP connection guides in the support portal.