FTPS is FTP secure by TLS. It negotiates fully secured TLS connections where plain FTP uses clear text unsafe connections.
There are two ways to do FTPS with curl. The implicit way and the explicit way. (These terms originate from the FTPS RFC). Usually the server you work with dictates which of these methods you can and shall use against it.
The implicit way is when you use ftps://
in your URL. This makes curl
connect to the host and do a TLS handshake immediately, without doing anything
in the clear. If no port number is specified in the URL, curl uses port 990
for this. This is usually not how FTPS is done.
The explicit way of doing FTPS is to keep using an ftp://
URL, but
instruct curl to upgrade the connection into a secure one using the AUTH TLS
FTP command.
You can tell curl to either attempt an upgrade and continue as usual if the
upgrade fails with --ssl
, or you can force curl to either upgrade or fail
the whole thing hard if the upgrade fails by using --ssl-reqd
. We strongly
recommend using the latter, so that you can be sure that a secure transfer is
done - if any.
The single most common problem with FTPS comes from the fact that the FTP protocol (that FTPS transfers lean on) uses a separate connection setup for the data transfer. This connection is done to another port and when FTP is done over clear text (non-FTPS), firewalls and network inspectors etc can figure out that this is FTP in progress and they can adapt things and rules for the new connection.
When the FTP control channel is encrypted with TLS, firewalls cannot see what is going on and no outsider can dynamically adapt network rules or permission based on this.