Although RFC2228 defines eight new commands, the TLS implementation uses just three of these, AUTH, PBSZ, and PROT. In fact, one of these, PBSZ, appears to be redundant and is probably included only for the purpose of satisfying the RFC specification.
The AUTH command takes a single parameter which defines the security mechanism to be used. From the point of view of TLS, this parameter must be 'TLS'.
> AUTH TLSThe result of this is that an attempt is made to negotiate a TLS connection on the control channel. This involves the server trying to validate itself to the client by sending its certificate - this is called Server Validation. It may also involve the client sending its certificate to the server, which is called Client Validation. Section will present more detail on certificate validation.
The PBSZ command is intended by RFC2228 to define the buffer-size to be used by the security mechanism when it is encrypting data on the data-channel. However, since TLS is a transport-layer protocol and therefore doesn't require explicit encryption of data by the application layer, this buffer-size is redundant. Ford-Hutchinson therefore requires that a value of '0' is always passed as a parameter.
> PBSZ 0While this call is redundant (as it is effectively implied by the AUTH command), it is required and must precede the PROT command.
PROT defines whether or not the data channel is to be protected. Though RFC2228 defines four possible protection levels, Ford-Hutchinson only defines two, Clear and Private. Clear means that no security is to be used on the data-channel, and Private means that the data- channel should be protected by TLS. Thus there are two possible PROT commands:
> PROT Cfor an unsecured data-channel, and
> PROT Pfor a TLS data-channel.
Next: FTPS Usage