How to set up FTP over SSL/TLS (FTPS)

Setting up the server
To set up FTP over SSL/TLS the first thing to do is to make sure that the server supports FTPS and that it is configured to accept FTPS connections.

MobyExplorer supports what's known as Implicit FTPS which means that the FTPS Client connects to a dedicated port on the server (usually port 990), where the server expects SSL/TLS connections requests.

Examples of FTP servers that support (implicit) FTPS are the free FileZilla Server, or the commercial GlobalSCAPE's Secure FTP Server or Gene6 Server. Please consult the server manual for information on how to enable Implicit FTPS over SSL/TLS.

SSL/TLS Certificates
SSL/TLS uses digital certificates to authenticate the server (and optionally the client). This means that, when the client connects to the server, the server presents the client with it's SSL certificate. If the client trusts the certificate then the connection proceeds.

The phone has a list of root certificates from well known and established Certification Authorities (CA) which it considers trustable. If the server certificate is validated and signed by one of these CA's in the phone list, then the server is considered to be authenticated. Examples of well known CA's are Verisign and Thawte.

If the phone can not find the CA that has signed the server certificate in it's list of root certificates then the connection is rejected (some phones allow the user to optionally proceed with the connection even if the certificate can not be validated).

Setting up the SSL/TLS Certificates
If you are running your own FTP server and already have a SSL certificate for your server host, which is signed by respectable CA (which has it's root certificate in your phone) then all you have to do is to make sure that the FTP server is using this certificate for SSL/TLS connections. Please consult your FTP server manual on how to set up the server to use your SSL certificate.

If you already have a SSL certificate for your server, but it is signed by a CA which is not in your phone, then you can usually import the CA root certificate to your phone, using for example Bluetooth or downloading it from a web site. Please consult your phone manual on how to import SSL/TLS root certificates to your phone.

If you are running your own FTP server, but don't have a SSL/TLS certificate, then you can create your own SSL certificate and root certificate, to authenticate your server. Please go here for instructions on how to do this.

If you are using a FTP server which is not managed by yourself, then please contact the administrator of that FTP server for information on how to set it up for FTPS.

Connecting to the FTPS server
If you have completed the above steps you are all set up connect to your FTP server securely.

You connect to your FTP server in a similar way as for a normal FTP connection. In the Remote Connect window, write the server name, address and password. Then scroll down to the bottom of the connect window and check the Secure FTPS Mode check box. This will automatically change the settings for FTPS to the best suitable settings for FTPS. Don't forget to save the connection. Now just press OK to connect to the server.

Connection problems
If you are not able to connect to your server there could be a number of different reasons. The most common reason are firewall problems which are blocking the necessary ports to run FTPS, and routers running NAT which hides your internal IP number of your computer to the outside network. This can be either on the client side, the server side or both.

All the challenges of running normal FTP in an environment with routers, firewalls and NAT applies even more for running FTPS. Some routers and firewalls are "content aware" meaning that they recognise the FTP commands and responses, and automatically change them to be able to run FTP through them. When the connection is encrypted using SSL/TLS, this doesn't work, since the firewall/router can not decrypt the commands.

If you are having problems with connecting to the FTPS server, then please first go to this page to troubleshoot your problems in the same way as for normal FTP connections.

If this still doesn't solve your problem, then try and check the "Clear Data Channel" tick box in the Remote Connect window. This means the "data channel", meaning the files you are sending back and forth to the FTP server are not encrypted. However, the control channel, which transports your FTP commands, like user name and password is still encrypted. Using "Clear Data Channel" sometimes helps getting the connection to work if the firewall is blocking the ports which are used to send the files.

Please also note, that due to limitations in Java, if you use "Active Mode" to connect to your FTPS server, "Clear Data Channel" will always be used. However, seeing the problems with getting the firewalls and routers to understand SSL/TLS connections, "Passive Mode" is the preferred method anyway to get FTPS to work.