Three commands are used, AUTH, PBSZ, and PROT. One of these, PBSZ, appears to be redundant and is probably included only to satisfying the RFC specification.
The AUTH command takes a single parameter which defines the security mechanism to be used, usually 'SSL' or 'TLS'.
AUTH TLS
WIth this command, an attempt is made to negotiate a TLS connection on the control channel.The server tries to validate itself to the client by sending its certificate (Server Validation). It may also involve the client sending its certificate to the server (Client Validation).
The PBSZ command is intended to define the buffer-size to be used by the security mechanism when it is encrypting data on the data-channel. However for TLS this setting is redundant and a value of '0' is always passed as a parameter.
PBSZ 0
While this call is redundant, it is required and must precede the PROT command.
PROT defines whether or not the data channel is to be protected or not. Either the data channel is Clear (the default), or Private. Clear means that no security is used on the data-channel (meaning files are transmitted without encryption), and Private means that the data-channel should be encrypted. So there are two possible PROT commands:
PROT C
for an unsecured data-channel, and
PROT P
for an encrypted data-channel.
Next: FTPS Usage