FTPS - File Transfer Protocol Secure
What is FTPS?
FTPS stands for File Transfer Protocol Secure. It is an extension of the standard FTP protocol that adds support for SSL/TLS encryption, making file transfers more secure over a network.
What is the purpose of FTPS?
Secure uploading and downloading of files between systems.
Protecting sensitive data during transfer (e.g., credentials, documents).
Compliance with security standards (e.g., HIPAA, PCI-DSS).
Encrypted backups to remote servers or cloud storage.
Common in industries where data confidentiality and integrity are critical.
How does it work?
Client connects to FTPS server – Using an FTPS-compatible client (e.g., FileZilla, WinSCP).
SSL/TLS handshake – A secure encrypted session is established.
Authentication – Via username/password or certificate.
File operations – Upload, download, rename, delete, or move files securely.
Connection closes – Client disconnects when finished.
Two channels: 1. Command channel – Sends commands and responses (encrypted) 2. Data channel – Transfers files (can be encrypted depending on config)
Where is FTPS used?
Healthcare and finance – For secure transmission of sensitive records.
Enterprise IT – Secure internal and external file transfers.
Government and defense – Where compliance and encryption are mandatory.
Cloud storage providers – Secure uploads and backups.
Which OSI Layer does this protocol belong to?
FTPS operates at the Application Layer (Layer 7) of the OSI model.
It uses application-level commands like AUTH, USER, PASS, RETR, STOR, etc.
It relies on TCP (Layer 4) for reliable transmission but protocol logic is in Layer 7.
Topics in this section,
In this section, you are going to learn
Terminology
Version Info
sno |
DLNA Version |
core/Contribution |
RFC Details |
Year |
|---|---|---|---|---|
1 |
Not Applicable |
FTPS (Explicit Mode) |
RFC 4217 Securing FTP with TLS |
2005 |
2 |
Not Applicable |
FTP Base Protocol |
RFC 959 File Transfer Protocol |
1985 |
3 |
Not Applicable |
TLS Protocol Used in FTPS |
RFC 8446 TLS 1.3 |
2018 |
4 |
Not Applicable |
Deprecated SSL Usage |
RFC 7568 Deprecating SSL |
Setup
Setup
AUTH
S.No |
Protocol Packets |
Description |
Size(bytes) |
|---|---|---|---|
1 |
AUTH TLS |
Initiates secure connection using TLS |
~50100 |
Command |
The command sent to initiate TLS |
AUTH TLS (8 bytes) |
|
Response Code |
Server response (e.g., 234) |
3 bytes |
|
Response Message |
Human-readable message |
~30100 bytes |
|
TLS Version |
TLS version used (e.g., TLS 1.2) |
2 bytes |
|
ClientHello |
Initial handshake message from client |
~5121024 bytes |
|
ServerHello |
Server’s handshake response |
~5121024 bytes |
|
Session ID |
Identifier for the TLS session |
32 bytes |
|
Cipher Suites |
List of supported ciphers |
~2256 bytes |
|
Compression Methods |
Supported compression methods |
12 bytes |
|
Extensions |
TLS extensions (e.g., SNI, ALPN) |
Variable (up to 1 KB) |
|
Certificate |
Server’s X.509 certificate |
~13 KB |
|
Certificate Chain |
Intermediate certificates |
~15 KB |
|
Server Key Exchange |
Key exchange parameters |
~2561024 bytes |
|
Client Key Exchange |
Client’s key exchange message |
~2561024 bytes |
|
Pre-Master Secret |
Shared secret for key derivation |
48 bytes |
|
Master Secret |
Derived from pre-master secret |
48 bytes |
|
Finished Message |
Final handshake message |
~64 bytes |
|
Session Keys |
Keys for encryption/decryption |
128256 bits |
|
MAC Keys |
Keys for message authentication |
128256 bits |
|
Handshake Hash |
Hash of handshake messages |
3264 bytes |
|
Random Values |
Client and server randoms |
32 bytes each |
|
TLS Record Header |
Header for each TLS record |
5 bytes |
|
Content Type |
Type of TLS record (e.g., handshake) |
1 byte |
|
Protocol Version |
TLS version in record |
2 bytes |
|
Length |
Length of TLS record |
2 bytes |
|
Encrypted Data |
Encrypted application data |
Variable |
|
MAC |
Message authentication code |
1632 bytes |
|
Padding |
For block ciphers |
Variable |
|
Alert Level |
Warning or fatal |
1 byte |
|
Alert Description |
Reason for alert |
1 byte |
|
Renegotiation Info |
Extension for secure renegotiation |
Variable |
|
ALPN Protocol |
Application Layer Protocol Negotiation |
Variable |
|
SNI |
Server Name Indication |
Variable |
|
OCSP Stapling |
Certificate status info |
Variable |
|
Key Exchange Algorithm |
E.g., RSA, ECDHE |
Variable |
|
Signature Algorithm |
E.g., SHA256 with RSA |
Variable |
|
Elliptic Curve |
Used in ECDHE |
Variable |
|
DH Parameters |
For Diffie-Hellman |
Variable |
|
Session Ticket |
For session resumption |
Variable |
|
PSK Identity |
Pre-shared key identity |
Variable |
|
Heartbeat Extension |
For keep-alive |
Variable |
|
Record MAC |
MAC for each record |
1632 bytes |
|
Record IV |
Initialization vector |
16 bytes |
|
Record Sequence Number |
For replay protection |
8 bytes |
|
TLS Handshake Type |
Type of handshake message |
1 byte |
|
Handshake Length |
Length of handshake message |
3 bytes |
|
Handshake Message |
Actual handshake data |
Variable |
|
TLS Session Cache |
Cached session info |
Variable |
|
TLS Session Resumption |
Mechanism for reusing sessions |
Variable |
|
TLS Ticket Lifetime |
Validity of session ticket |
4 bytes |
|
TLS Ticket Age |
Age of session ticket |
4 bytes |
|
TLS Ticket Nonce |
Random nonce |
816 bytes |
|
TLS Ticket |
Encrypted session state |
Variable |
|
PBSZ
2 |
PBSZ |
Protection buffer size negotiation |
~4060 |
|---|---|---|---|
Command |
The PBSZ command |
PBSZ (4 bytes) |
|
Parameter |
Buffer size value (usually 0) |
14 bytes |
|
Response Code |
Server response (e.g., 200) |
3 bytes |
|
Response Message |
Human-readable message |
~30100 bytes |
|
TLS Version |
TLS version in use |
2 bytes |
|
Session ID |
TLS session identifier |
32 bytes |
|
Client IP |
IP address of client |
416 bytes |
|
Server IP |
IP address of server |
416 bytes |
|
Client Port |
Port used by client |
2 bytes |
|
Server Port |
Port used by server |
2 bytes |
|
Data Channel Type |
Type of data channel (e.g., TLS) |
Variable |
|
Protection Level |
Level of protection (e.g., Clear, Safe) |
1 byte |
|
Negotiated Buffer Size |
Agreed buffer size (usually 0) |
4 bytes |
|
TLS Record Size |
Size of TLS record |
Variable |
|
TLS Fragment Size |
Fragmentation size for TLS |
Variable |
|
TLS MAC Size |
Size of MAC in TLS record |
1632 bytes |
|
TLS Padding Size |
Padding for block ciphers |
Variable |
|
TLS Header Size |
Header for TLS record |
5 bytes |
|
TLS Footer Size |
Footer (MAC + padding) |
Variable |
|
Data Channel Encryption |
Whether encryption is enabled |
1 byte |
|
Data Channel Integrity |
Whether integrity is enforced |
1 byte |
|
Session Resumption |
Whether session is resumed |
1 byte |
|
Session Ticket |
TLS session ticket |
Variable |
|
TLS Alert Code |
Alert if negotiation fails |
1 byte |
|
TLS Alert Description |
Reason for alert |
1 byte |
|
TLS Handshake Status |
Status of handshake |
1 byte |
|
TLS Cipher Suite |
Cipher used for encryption |
2 bytes |
|
TLS Compression |
Compression method |
1 byte |
|
TLS Extension Count |
Number of TLS extensions |
1 byte |
|
TLS Extension Type |
Type of extension (e.g., ALPN) |
2 bytes |
|
TLS Extension Length |
Length of extension data |
2 bytes |
|
TLS Extension Data |
Actual extension data |
Variable |
|
ClientHello Random |
Random value from client |
32 bytes |
|
ServerHello Random |
Random value from server |
32 bytes |
|
Handshake Hash |
Hash of handshake messages |
3264 bytes |
|
TLS Session Cache |
Cached session info |
Variable |
|
TLS Key Material |
Derived keys for encryption |
Variable |
|
TLS MAC Key |
Key for message authentication |
Variable |
|
TLS IV |
Initialization vector |
16 bytes |
|
TLS Sequence Number |
For replay protection |
8 bytes |
|
TLS Finished Message |
Final handshake message |
~64 bytes |
|
TLS Alert Level |
Warning or fatal |
1 byte |
|
TLS Alert Description |
Description of alert |
1 byte |
|
PBSZ Negotiation Status |
Success or failure |
1 byte |
|
PBSZ Max Buffer Size |
Max buffer size supported |
4 bytes |
|
PBSZ Effective Size |
Actual buffer size used |
4 bytes |
|
PBSZ Negotiation Timestamp |
Time of negotiation |
8 bytes |
|
PBSZ Negotiation Log |
Log entry for audit |
Variable |
|
PBSZ Error Code |
Error code if failed |
2 bytes |
|
PBSZ Error Message |
Description of error |
Variable |
|
PBSZ Retry Count |
Number of retries |
1 byte |
|
PBSZ Retry Delay |
Delay between retries |
2 bytes |
|
PBSZ Session ID |
Unique session identifier |
32 bytes |
|
PBSZ Command Length |
Length of PBSZ command |
2 bytes |
|
PBSZ Command Timestamp |
Time command was issued |
8 bytes |
|
PROT
3 |
PROT |
Sets data channel protection level |
~4060 |
|---|---|---|---|
Command |
The PROT command |
PROT (4 bytes) |
|
Parameter |
Protection level (C, S, E, P) |
1 byte |
|
Response Code |
Server response (e.g., 200) |
3 bytes |
|
Response Message |
Human-readable message |
~30100 bytes |
|
TLS Version |
TLS version in use |
2 bytes |
|
Session ID |
TLS session identifier |
32 bytes |
|
Client IP |
IP address of client |
416 bytes |
|
Server IP |
IP address of server |
416 bytes |
|
Client Port |
Port used by client |
2 bytes |
|
Server Port |
Port used by server |
2 bytes |
|
Data Channel Type |
Type of data channel (e.g., TLS, clear) |
Variable |
|
Protection Level |
Negotiated level (C, S, E, P) |
1 byte |
|
TLS Record Size |
Size of TLS record |
Variable |
|
TLS Fragment Size |
Fragmentation size for TLS |
Variable |
|
TLS MAC Size |
Size of MAC in TLS record |
1632 bytes |
|
TLS Padding Size |
Padding for block ciphers |
Variable |
|
TLS Header Size |
Header for TLS record |
5 bytes |
|
TLS Footer Size |
Footer (MAC + padding) |
Variable |
|
Data Channel Encryption |
Whether encryption is enabled |
1 byte |
|
Data Channel Integrity |
Whether integrity is enforced |
1 byte |
|
Session Resumption |
Whether session is resumed |
1 byte |
|
Session Ticket |
TLS session ticket |
Variable |
|
TLS Alert Code |
Alert if negotiation fails |
1 byte |
|
TLS Alert Description |
Reason for alert |
1 byte |
|
TLS Cipher Suite |
Cipher used for encryption |
2 bytes |
|
TLS Compression |
Compression method |
1 byte |
|
TLS Extension Count |
Number of TLS extensions |
1 byte |
|
TLS Extension Type |
Type of extension (e.g., ALPN) |
2 bytes |
|
TLS Extension Length |
Length of extension data |
2 bytes |
|
TLS Extension Data |
Actual extension data |
Variable |
|
ClientHello Random |
Random value from client |
32 bytes |
|
ServerHello Random |
Random value from server |
32 bytes |
|
Handshake Hash |
Hash of handshake messages |
3264 bytes |
|
TLS Session Cache |
Cached session info |
Variable |
|
TLS Key Material |
Derived keys for encryption |
Variable |
|
TLS MAC Key |
Key for message authentication |
Variable |
|
TLS IV |
Initialization vector |
16 bytes |
|
TLS Sequence Number |
For replay protection |
8 bytes |
|
TLS Finished Message |
Final handshake message |
~64 bytes |
|
TLS Alert Level |
Warning or fatal |
1 byte |
|
TLS Alert Description |
Description of alert |
1 byte |
|
PROT Negotiation Status |
Success or failure |
1 byte |
|
PROT Command Timestamp |
Time command was issued |
8 bytes |
|
PROT Negotiation Timestamp |
Time of negotiation |
8 bytes |
|
PROT Negotiation Log |
Log entry for audit |
Variable |
|
PROT Error Code |
Error code if failed |
2 bytes |
|
PROT Error Message |
Description of error |
Variable |
|
PROT Retry Count |
Number of retries |
1 byte |
|
PROT Retry Delay |
Delay between retries |
2 bytes |
|
PROT Session ID |
Unique session identifier |
32 bytes |
|
PROT Command Length |
Length of PROT command |
2 bytes |
|
USER
4 |
USER |
Sends username for authentication |
~4080 |
|---|---|---|---|
Command |
The FTP command |
USER (4 bytes) |
|
Username |
The username being sent |
Variable (164 bytes) |
|
Command Length |
Total length of the command |
570 bytes |
|
Response Code |
Server response (e.g., 331) |
3 bytes |
|
Response Message |
Human-readable message |
~30100 bytes |
|
Client IP |
IP address of client |
416 bytes |
|
Server IP |
IP address of server |
416 bytes |
|
Client Port |
Port used by client |
2 bytes |
|
Server Port |
Port used by server |
2 bytes |
|
Session ID |
Unique session identifier |
32 bytes |
|
Timestamp |
Time of command |
8 bytes |
|
Authentication Status |
Pending, success, or failure |
1 byte |
|
Login Attempts |
Number of login attempts |
1 byte |
|
Max Login Attempts |
Allowed attempts before lockout |
1 byte |
|
User Exists |
Whether the user exists |
1 byte |
|
User Account Status |
Active, locked, expired |
1 byte |
|
User Role |
Role (admin, guest, etc.) |
Variable |
|
User Group |
Group membership |
Variable |
|
User Home Directory |
Default directory after login |
Variable |
|
User Shell |
Shell assigned (if applicable) |
Variable |
|
User Quota |
Storage quota assigned |
Variable |
|
User Quota Used |
Storage used |
Variable |
|
User Last Login |
Timestamp of last login |
8 bytes |
|
User Login History |
Log of past logins |
Variable |
|
User Auth Method |
Password, key, etc. |
Variable |
|
User Auth Source |
Local, LDAP, etc. |
Variable |
|
User Lockout Status |
Locked or unlocked |
1 byte |
|
User Lockout Reason |
Reason for lockout |
Variable |
|
User Lockout Time |
Time of lockout |
8 bytes |
|
User Password Expiry |
Time until password expires |
8 bytes |
|
User Password Last Set |
Timestamp of last password change |
8 bytes |
|
User Password Policy |
Complexity rules |
Variable |
|
User MFA Enabled |
Multi-factor authentication status |
1 byte |
|
User MFA Method |
TOTP, SMS, etc. |
Variable |
|
User Timezone |
Timezone setting |
Variable |
|
User IP Restrictions |
Allowed IPs |
Variable |
|
User Agent |
Client software info |
Variable |
|
User Device Info |
Device fingerprint |
Variable |
|
User Login Token |
Temporary login token |
Variable |
|
User Login Signature |
Digital signature (if used) |
Variable |
|
User Login Certificate |
Certificate (if used) |
Variable |
|
User Login Attempt Timestamp |
Time of attempt |
8 bytes |
|
User Login Attempt Result |
Success or failure |
1 byte |
|
User Login Attempt Source |
IP or device info |
Variable |
|
User Login Attempt Log |
Log entry |
Variable |
|
User Session Key |
Key for session encryption |
Variable |
|
User Session State |
Active, idle, closed |
1 byte |
|
User Session Duration |
Time since login |
4 bytes |
|
User Session Activity |
Last activity timestamp |
8 bytes |
|
PASS
5 |
PASS |
Sends password for authentication |
~4080 |
|---|---|---|---|
Command |
The FTP command |
PASS (4 bytes) |
|
Password |
The password being sent |
Variable (864 bytes) |
|
Command Length |
Total length of the command |
1070 bytes |
|
Response Code |
Server response (e.g., 230, 530) |
3 bytes |
|
Response Message |
Human-readable message |
~30100 bytes |
|
Client IP |
IP address of client |
416 bytes |
|
Server IP |
IP address of server |
416 bytes |
|
Client Port |
Port used by client |
2 bytes |
|
Server Port |
Port used by server |
2 bytes |
|
Session ID |
Unique session identifier |
32 bytes |
|
Timestamp |
Time of command |
8 bytes |
|
Authentication Status |
Success or failure |
1 byte |
|
Login Attempts |
Number of login attempts |
1 byte |
|
Max Login Attempts |
Allowed attempts before lockout |
1 byte |
|
Password Validity |
Whether password is valid |
1 byte |
|
Password Expiry |
Time until password expires |
8 bytes |
|
Password Last Set |
Timestamp of last password change |
8 bytes |
|
Password Policy |
Complexity rules |
Variable |
|
Password Hash |
Hashed version of password |
3264 bytes |
|
Password Salt |
Salt used in hashing |
1632 bytes |
|
Password Encryption |
Encryption method used |
Variable |
|
Password Auth Method |
Plain, hashed, certificate, etc. |
Variable |
|
User Account Status |
Active, locked, expired |
1 byte |
|
User Role |
Role (admin, guest, etc.) |
Variable |
|
User Group |
Group membership |
Variable |
|
User MFA Enabled |
Multi-factor authentication status |
1 byte |
|
User MFA Method |
TOTP, SMS, etc. |
Variable |
|
User Lockout Status |
Locked or unlocked |
1 byte |
|
User Lockout Reason |
Reason for lockout |
Variable |
|
User Lockout Time |
Time of lockout |
8 bytes |
|
User Session Timeout |
Timeout duration |
4 bytes |
|
User Locale |
Language/region settings |
Variable |
|
User Timezone |
Timezone setting |
Variable |
|
User IP Restrictions |
Allowed IPs |
Variable |
|
User Agent |
Client software info |
Variable |
|
User Device Info |
Device fingerprint |
Variable |
|
Login Token |
Temporary login token |
Variable |
|
Login Signature |
Digital signature (if used) |
Variable |
|
Login Certificate |
Certificate (if used) |
Variable |
|
Login Attempt Timestamp |
Time of attempt |
8 bytes |
|
Login Attempt Result |
Success or failure |
1 byte |
|
Login Attempt Source |
IP or device info |
Variable |
|
Login Attempt Log |
Log entry |
Variable |
|
Session Key |
Key for session encryption |
Variable |
|
Session State |
Active, idle, closed |
1 byte |
|
Session Duration |
Time since login |
4 bytes |
|
Session Activity |
Last activity timestamp |
8 bytes |
|
TLS Encryption Used |
Whether TLS was used |
1 byte |
|
TLS Cipher Suite |
Cipher used for encryption |
2 bytes |
|
TLS Session ID |
TLS session identifier |
32 bytes |
|
TLS Alert Code |
Alert if authentication fails |
1 byte |
|
TLS Alert Description |
Reason for alert |
1 byte |
|
LIST
6 |
LIST |
Requests directory listing |
~40100 |
|---|---|---|---|
Command |
The FTP command |
LIST (4 bytes) |
|
Command Argument |
Optional path or pattern |
Variable (0256 bytes) |
|
Command Length |
Total length of the command |
4260 bytes |
|
Response Code |
Server response (e.g., 150, 226) |
3 bytes |
|
Response Message |
Human-readable message |
~30100 bytes |
|
Client IP |
IP address of client |
416 bytes |
|
Server IP |
IP address of server |
416 bytes |
|
Client Port |
Port used by client |
2 bytes |
|
Server Port |
Port used by server |
2 bytes |
|
Session ID |
Unique session identifier |
32 bytes |
|
Timestamp |
Time of command |
8 bytes |
|
Data Channel Type |
Clear or encrypted |
1 byte |
|
Data Channel Port |
Port used for data transfer |
2 bytes |
|
Data Channel Encryption |
Whether encryption is enabled |
1 byte |
|
Data Channel Cipher |
Cipher used if encrypted |
Variable |
|
Data Channel Status |
Open, closed, error |
1 byte |
|
Transfer Mode |
ASCII or binary |
1 byte |
|
Transfer Direction |
Upload or download |
1 byte |
|
Transfer Status |
Success or failure |
1 byte |
|
Transfer Start Time |
Timestamp |
8 bytes |
|
Transfer End Time |
Timestamp |
8 bytes |
|
Transfer Duration |
Time taken |
4 bytes |
|
Transfer Size |
Total bytes transferred |
48 bytes |
|
Directory Path |
Path being listed |
Variable |
|
File Count |
Number of files listed |
24 bytes |
|
File Name |
Name of file or directory |
Variable |
|
File Type |
File or directory |
1 byte |
|
File Size |
Size in bytes |
48 bytes |
|
File Permissions |
Unix-style permissions |
10 bytes |
|
File Owner |
Owner name or ID |
Variable |
|
File Group |
Group name or ID |
Variable |
|
File Timestamp |
Last modified time |
8 bytes |
|
File Creation Time |
Creation time (if available) |
8 bytes |
|
File Access Time |
Last access time |
8 bytes |
|
File Extension |
File type extension |
Variable |
|
File Hidden |
Whether file is hidden |
1 byte |
|
File Symlink |
Whether file is a symlink |
1 byte |
|
File Symlink Target |
Target of symlink |
Variable |
|
File Checksum |
Optional checksum (e.g., MD5) |
1632 bytes |
|
File Encoding |
Character encoding used |
Variable |
|
File Locale |
Locale of file metadata |
Variable |
|
Directory Listing Format |
Unix, DOS, MLSD, etc. |
Variable |
|
Listing Charset |
Charset used in listing |
Variable |
|
Listing Line Count |
Number of lines in listing |
24 bytes |
|
Listing Line Length |
Average line length |
24 bytes |
|
Listing Total Size |
Total size of listing data |
48 bytes |
|
Listing Compression |
Whether compressed |
1 byte |
|
Listing Compression Type |
GZIP, ZIP, etc. |
Variable |
|
Listing Transfer Encoding |
ASCII, UTF-8, etc. |
Variable |
|
Listing Transfer Chunk Size |
Size of each chunk |
24 bytes |
|
Listing Transfer Retry Count |
Retries if failed |
1 byte |
|
Listing Transfer Retry Delay |
Delay between retries |
2 bytes |
|
Listing Transfer Log |
Log entry for audit |
Variable |
|
TLS Session ID |
If encrypted |
32 bytes |
|
TLS Cipher Suite |
Cipher used |
2 bytes |
|
TLS Alert Code |
If error occurs |
1 byte |
|
TLS Alert Description |
Description of alert |
Variable |
|
RETR
7 |
RETR |
Requests file download |
~40100 |
|---|---|---|---|
Command |
The FTP command |
RETR (4 bytes) |
|
Command Argument |
Path to the file to retrieve |
Variable (1256 bytes) |
|
Command Length |
Total length of the command |
5260 bytes |
|
Response Code |
Server response (e.g., 150, 226, 550) |
3 bytes |
|
Response Message |
Human-readable message |
~30100 bytes |
|
Client IP |
IP address of client |
416 bytes |
|
Server IP |
IP address of server |
416 bytes |
|
Client Port |
Port used by client |
2 bytes |
|
Server Port |
Port used by server |
2 bytes |
|
Session ID |
Unique session identifier |
32 bytes |
|
Timestamp |
Time of command |
8 bytes |
|
Data Channel Type |
Clear or encrypted |
1 byte |
|
Data Channel Port |
Port used for data transfer |
2 bytes |
|
Data Channel Encryption |
Whether encryption is enabled |
1 byte |
|
Data Channel Cipher |
Cipher used if encrypted |
Variable |
|
Data Channel Status |
Open, closed, error |
1 byte |
|
Transfer Mode |
ASCII or binary |
1 byte |
|
Transfer Direction |
Download |
1 byte |
|
Transfer Status |
Success or failure |
1 byte |
|
Transfer Start Time |
Timestamp |
8 bytes |
|
Transfer End Time |
Timestamp |
8 bytes |
|
Transfer Duration |
Time taken |
4 bytes |
|
Transfer Size |
Total bytes transferred |
48 bytes |
|
File Path |
Full path of the file |
Variable |
|
File Name |
Name of the file |
Variable |
|
File Extension |
File type extension |
Variable |
|
File Size |
Size in bytes |
48 bytes |
|
File Type |
Regular file, symlink, etc. |
1 byte |
|
File Permissions |
Unix-style permissions |
10 bytes |
|
File Owner |
Owner name or ID |
Variable |
|
File Group |
Group name or ID |
Variable |
|
File Timestamp |
Last modified time |
8 bytes |
|
File Creation Time |
Creation time (if available) |
8 bytes |
|
File Access Time |
Last access time |
8 bytes |
|
File Checksum |
Optional checksum (e.g., MD5) |
1632 bytes |
|
File Encoding |
Character encoding used |
Variable |
|
File Locale |
Locale of file metadata |
Variable |
|
File Compression |
Whether compressed |
1 byte |
|
File Compression Type |
GZIP, ZIP, etc. |
Variable |
|
File Transfer Chunk Size |
Size of each chunk |
24 bytes |
|
File Transfer Retry Count |
Retries if failed |
1 byte |
|
File Transfer Retry Delay |
Delay between retries |
2 bytes |
|
File Transfer Log |
Log entry for audit |
Variable |
|
TLS Session ID |
If encrypted |
32 bytes |
|
TLS Cipher Suite |
Cipher used |
2 bytes |
|
TLS Alert Code |
If error occurs |
1 byte |
|
TLS Alert Description |
Description of alert |
Variable |
|
Resume Offset |
Byte offset for resuming download |
48 bytes |
|
Bandwidth Limit |
Throttle limit (if applied) |
4 bytes |
|
Client User Agent |
Client software info |
Variable |
|
Client Device Info |
Device fingerprint |
Variable |
|
Client Authentication Status |
Authenticated or not |
1 byte |
|
Client Session Timeout |
Timeout duration |
4 bytes |
|
Client Locale |
Language/region settings |
Variable |
|
Client Timezone |
Timezone setting |
Variable |
|
Client IP Restrictions |
Allowed IPs |
Variable |
|
STOR
8 |
STOR |
Requests file upload |
~40100 |
|---|---|---|---|
Command |
The FTP command |
STOR (4 bytes) |
|
Command Argument |
Path or name of the file to upload |
Variable (1256 bytes) |
|
Command Length |
Total length of the command |
5260 bytes |
|
Response Code |
Server response (e.g., 150, 226, 553) |
3 bytes |
|
Response Message |
Human-readable message |
~30100 bytes |
|
Client IP |
IP address of client |
416 bytes |
|
Server IP |
IP address of server |
416 bytes |
|
Client Port |
Port used by client |
2 bytes |
|
Server Port |
Port used by server |
2 bytes |
|
Session ID |
Unique session identifier |
32 bytes |
|
Timestamp |
Time of command |
8 bytes |
|
Data Channel Type |
Clear or encrypted |
1 byte |
|
Data Channel Port |
Port used for data transfer |
2 bytes |
|
Data Channel Encryption |
Whether encryption is enabled |
1 byte |
|
Data Channel Cipher |
Cipher used if encrypted |
Variable |
|
Data Channel Status |
Open, closed, error |
1 byte |
|
Transfer Mode |
ASCII or binary |
1 byte |
|
Transfer Direction |
Upload |
1 byte |
|
Transfer Status |
Success or failure |
1 byte |
|
Transfer Start Time |
Timestamp |
8 bytes |
|
Transfer End Time |
Timestamp |
8 bytes |
|
Transfer Duration |
Time taken |
4 bytes |
|
Transfer Size |
Total bytes transferred |
48 bytes |
|
File Path |
Full path of the file |
Variable |
|
File Name |
Name of the file |
Variable |
|
File Extension |
File type extension |
Variable |
|
File Size |
Size in bytes |
48 bytes |
|
File Type |
Regular file, symlink, etc. |
1 byte |
|
File Permissions |
Unix-style permissions |
10 bytes |
|
File Owner |
Owner name or ID |
Variable |
|
File Group |
Group name or ID |
Variable |
|
File Timestamp |
Last modified time |
8 bytes |
|
File Creation Time |
Creation time (if available) |
8 bytes |
|
File Access Time |
Last access time |
8 bytes |
|
File Checksum |
Optional checksum (e.g., MD5) |
1632 bytes |
|
File Encoding |
Character encoding used |
Variable |
|
File Locale |
Locale of file metadata |
Variable |
|
File Compression |
Whether compressed |
1 byte |
|
File Compression Type |
GZIP, ZIP, etc. |
Variable |
|
File Transfer Chunk Size |
Size of each chunk |
24 bytes |
|
File Transfer Retry Count |
Retries if failed |
1 byte |
|
File Transfer Retry Delay |
Delay between retries |
2 bytes |
|
File Transfer Log |
Log entry for audit |
Variable |
|
TLS Session ID |
If encrypted |
32 bytes |
|
TLS Cipher Suite |
Cipher used |
2 bytes |
|
TLS Alert Code |
If error occurs |
1 byte |
|
TLS Alert Description |
Description of alert |
Variable |
|
Resume Offset |
Byte offset for resuming upload |
48 bytes |
|
Bandwidth Limit |
Throttle limit (if applied) |
4 bytes |
|
Client User Agent |
Client software info |
Variable |
|
Client Device Info |
Device fingerprint |
Variable |
|
Client Authentication Status |
Authenticated or not |
1 byte |
|
Client Session Timeout |
Timeout duration |
4 bytes |
|
Client Locale |
Language/region settings |
Variable |
|
Client Timezone |
Timezone setting |
Variable |
|
Client IP Restrictions |
Allowed IPs |
Variable |
|
QUIT
9 |
QUIT |
Terminates the session |
~4060 |
|---|---|---|---|
Command |
The FTP command |
QUIT (4 bytes) |
|
Command Length |
Total length of the command |
4 bytes |
|
Response Code |
Server response (e.g., 221) |
3 bytes |
|
Response Message |
Human-readable message |
~30100 bytes |
|
Client IP |
IP address of client |
416 bytes |
|
Server IP |
IP address of server |
416 bytes |
|
Client Port |
Port used by client |
2 bytes |
|
Server Port |
Port used by server |
2 bytes |
|
Session ID |
Unique session identifier |
32 bytes |
|
Session Start Time |
When the session began |
8 bytes |
|
Session End Time |
When the session ended |
8 bytes |
|
Session Duration |
Total session time |
4 bytes |
|
Session State |
Active, closed, timed out |
1 byte |
|
User Authenticated |
Whether user was authenticated |
1 byte |
|
User Name |
Username used in session |
Variable |
|
User Role |
Role (admin, guest, etc.) |
Variable |
|
User Group |
Group membership |
Variable |
|
User Locale |
Language/region settings |
Variable |
|
User Timezone |
Timezone setting |
Variable |
|
TLS Session ID |
If encrypted |
32 bytes |
|
TLS Cipher Suite |
Cipher used |
2 bytes |
|
TLS Alert Code |
If error occurs |
1 byte |
|
TLS Alert Description |
Description of alert |
Variable |
|
Data Channel Status |
Open, closed, error |
1 byte |
|
Data Channel Encryption |
Whether encryption was used |
1 byte |
|
Data Channel Port |
Port used for data transfer |
2 bytes |
|
Transfer Count |
Number of transfers in session |
2 bytes |
|
Total Bytes Sent |
Bytes sent to server |
48 bytes |
|
Total Bytes Received |
Bytes received from server |
48 bytes |
|
Last Command |
Last command before QUIT |
Variable |
|
Last Command Timestamp |
Time of last command |
8 bytes |
|
Error Count |
Number of errors in session |
2 bytes |
|
Warning Count |
Number of warnings |
2 bytes |
|
Session Termination Reason |
Normal, timeout, error |
Variable |
|
Session Termination Log |
Log entry for audit |
Variable |
|
Client Software |
FTP client name/version |
Variable |
|
Client OS |
Operating system info |
Variable |
|
Client Device Info |
Device fingerprint |
Variable |
|
Server Software |
FTP server name/version |
Variable |
|
Server OS |
Operating system info |
Variable |
|
Server Uptime |
Uptime at session end |
48 bytes |
|
Server Load |
Load at session end |
Variable |
|
Log File Entry |
Entry in server logs |
Variable |
|
sno |
Use Case |
Description |
|---|---|---|
1 |
Secure File Transfers |
FTPS is used to securely transfer files between clients and servers using TLS encryption. |
2 |
Enterprise Data Exchange |
Common in corporate environments for exchanging sensitive documents like financial reports, HR data, etc. |
3 |
Automated Backup Systems |
Used in automated scripts or software to securely back up data to remote servers. |
4 |
Healthcare Data Compliance |
Supports HIPAA-compliant data transfers in healthcare systems. |
5 |
Government File Submissions |
Used by government agencies to securely collect or distribute official documents. |
6 |
E-commerce Transactions |
Transfers order data, invoices, and customer information securely between systems. |
7 |
Cross-Platform File Sharing |
Enables secure file sharing between different operating systems and platforms. |
8 |
Secure Software Updates |
Distributes software patches and updates securely to clients or partners. |
Basic Features |
||
|---|---|---|
sno |
Feature |
Description |
1 |
TLS/SSL Encryption |
Provides secure communication by encrypting both command and data channels. |
2 |
Authentication Support |
Supports username/password and certificate-based authentication. |
3 |
Explicit & Implicit Modes |
Offers two connection modes: Explicit (AUTH TLS) and Implicit (dedicated port). |
4 |
Data Integrity |
Ensures data is not altered during transmission using cryptographic checks. |
5 |
Firewall-Friendly |
Explicit FTPS can be configured to work with firewalls and NAT. |
6 |
Backward Compatibility |
Can fall back to standard FTP if encryption is not required. |
7 |
Granular Access Control |
Allows fine-grained permissions for users and directories. |
8 |
Logging and Auditing |
Supports detailed logging for compliance and troubleshooting. |
TLS/SSL Encryption - Testcases
S.No |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
TLS/SSL Encryption Test 1 |
Verify TLS handshake with valid certificate |
Secure FTPS connection established |
2 |
TLS/SSL Encryption Test 2 |
Verify TLS handshake with expired certificate |
Connection rejected due to certificate expiration |
3 |
TLS/SSL Encryption Test 3 |
Verify TLS handshake with self-signed certificate |
Connection rejected or warning shown based on client settings |
4 |
TLS/SSL Encryption Test 4 |
Verify TLS handshake with revoked certificate |
Connection rejected due to certificate revocation |
5 |
TLS/SSL Encryption Test 5 |
Verify TLS 1.2 support |
FTPS connection established using TLS 1.2 |
6 |
TLS/SSL Encryption Test 6 |
Verify TLS 1.3 support |
FTPS connection established using TLS 1.3 |
7 |
TLS/SSL Encryption Test 7 |
Verify SSLv3 rejection |
Connection rejected due to insecure protocol |
8 |
TLS/SSL Encryption Test 8 |
Verify cipher suite negotiation |
Strong cipher suite selected and used |
9 |
TLS/SSL Encryption Test 9 |
Verify weak cipher suite rejection |
Connection rejected due to weak cipher |
10 |
TLS/SSL Encryption Test 10 |
Verify encrypted data transfer |
Data is encrypted during transfer |
11 |
TLS/SSL Encryption Test 11 |
Verify encrypted command channel |
Commands are encrypted and not visible in plaintext |
12 |
TLS/SSL Encryption Test 12 |
Verify encrypted data channel |
Data channel is encrypted |
13 |
TLS/SSL Encryption Test 13 |
Verify client certificate authentication |
Client authenticated using certificate |
14 |
TLS/SSL Encryption Test 14 |
Verify server certificate validation |
Server certificate validated successfully |
15 |
TLS/SSL Encryption Test 15 |
Verify certificate chain validation |
Full certificate chain validated |
16 |
TLS/SSL Encryption Test 16 |
Verify hostname matches certificate |
Hostname matches certificate CN/SAN |
17 |
TLS/SSL Encryption Test 17 |
Verify session reuse |
TLS session reused for performance |
18 |
TLS/SSL Encryption Test 18 |
Verify session timeout |
TLS session expires after timeout |
19 |
TLS/SSL Encryption Test 19 |
Verify renegotiation support |
TLS renegotiation handled securely |
20 |
TLS/SSL Encryption Test 20 |
Verify connection with large file transfer |
Large file transferred securely |
21 |
TLS/SSL Encryption Test 21 |
Verify connection under high latency |
FTPS connection remains stable |
22 |
TLS/SSL Encryption Test 22 |
Verify connection under packet loss |
FTPS connection retries or fails gracefully |
23 |
TLS/SSL Encryption Test 23 |
Verify connection with firewall |
FTPS connection established through firewall |
24 |
TLS/SSL Encryption Test 24 |
Verify connection with NAT |
FTPS connection established through NAT |
25 |
TLS/SSL Encryption Test 25 |
Verify explicit FTPS mode |
AUTH TLS command initiates secure session |
26 |
TLS/SSL Encryption Test 26 |
Verify implicit FTPS mode |
Connection starts on port 990 with encryption |
27 |
TLS/SSL Encryption Test 27 |
Verify fallback to plain FTP disabled |
Plain FTP connection rejected |
28 |
TLS/SSL Encryption Test 28 |
Verify logging of encrypted session |
Session logged without exposing sensitive data |
29 |
TLS/SSL Encryption Test 29 |
Verify encryption of file metadata |
File names and paths encrypted |
30 |
TLS/SSL Encryption Test 30 |
Verify encryption of file contents |
File contents encrypted during transfer |
31 |
TLS/SSL Encryption Test 31 |
Verify encryption with multiple clients |
Multiple clients connect securely |
32 |
TLS/SSL Encryption Test 32 |
Verify encryption with concurrent transfers |
Concurrent transfers maintain encryption |
33 |
TLS/SSL Encryption Test 33 |
Verify encryption with interrupted session |
Session resumes or fails securely |
34 |
TLS/SSL Encryption Test 34 |
Verify encryption with resumed session |
Resumed session maintains encryption |
35 |
TLS/SSL Encryption Test 35 |
Verify encryption with passive mode |
Passive mode connection encrypted |
36 |
TLS/SSL Encryption Test 36 |
Verify encryption with active mode |
Active mode connection encrypted |
37 |
TLS/SSL Encryption Test 37 |
Verify encryption with IPv6 |
FTPS over IPv6 works securely |
38 |
TLS/SSL Encryption Test 38 |
Verify encryption with IPv4 |
FTPS over IPv4 works securely |
39 |
TLS/SSL Encryption Test 39 |
Verify encryption with proxy |
FTPS connection through proxy is secure |
40 |
TLS/SSL Encryption Test 40 |
Verify encryption with antivirus scanning |
File scanned without breaking encryption |
41 |
TLS/SSL Encryption Test 41 |
Verify encryption with intrusion detection system |
IDS detects no plaintext data |
42 |
TLS/SSL Encryption Test 42 |
Verify encryption with load balancer |
Load balancer handles encrypted sessions |
43 |
TLS/SSL Encryption Test 43 |
Verify encryption with certificate rotation |
New certificate accepted and validated |
44 |
TLS/SSL Encryption Test 44 |
Verify encryption with expired session |
Expired session rejected |
45 |
TLS/SSL Encryption Test 45 |
Verify encryption with revoked session |
Revoked session rejected |
46 |
TLS/SSL Encryption Test 46 |
Verify encryption with invalid certificate format |
Connection rejected due to invalid certificate |
47 |
TLS/SSL Encryption Test 47 |
Verify encryption with missing certificate |
Connection rejected due to missing certificate |
48 |
TLS/SSL Encryption Test 48 |
Verify encryption with certificate signed by unknown CA |
Connection rejected or warning shown |
49 |
TLS/SSL Encryption Test 49 |
Verify encryption with certificate signed by trusted CA |
Connection accepted and encrypted |
50 |
TLS/SSL Encryption Test 50 |
Verify encryption with TLS downgrade attack attempt |
Downgrade attempt detected and blocked |
Authentication Support - Testcases
S.No |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Auth Test 1 |
Verify login with valid username and password |
Authentication successful |
2 |
Auth Test 2 |
Verify login with invalid username |
Authentication failed |
3 |
Auth Test 3 |
Verify login with invalid password |
Authentication failed |
4 |
Auth Test 4 |
Verify login with empty username |
Authentication failed |
5 |
Auth Test 5 |
Verify login with empty password |
Authentication failed |
6 |
Auth Test 6 |
Verify login with special characters in username |
Authentication successful or failed based on server config |
7 |
Auth Test 7 |
Verify login with special characters in password |
Authentication successful |
8 |
Auth Test 8 |
Verify login with long username |
Authentication successful |
9 |
Auth Test 9 |
Verify login with long password |
Authentication successful |
10 |
Auth Test 10 |
Verify login with expired credentials |
Authentication failed |
11 |
Auth Test 11 |
Verify login with locked account |
Authentication failed |
12 |
Auth Test 12 |
Verify login with disabled account |
Authentication failed |
13 |
Auth Test 13 |
Verify login with anonymous account |
Authentication failed |
14 |
Auth Test 14 |
Verify login with valid client certificate |
Authentication successful |
15 |
Auth Test 15 |
Verify login with invalid client certificate |
Authentication failed |
16 |
Auth Test 16 |
Verify login with expired client certificate |
Authentication failed |
17 |
Auth Test 17 |
Verify login with revoked client certificate |
Authentication failed |
18 |
Auth Test 18 |
Verify login with self-signed certificate |
Authentication failed or warning shown |
19 |
Auth Test 19 |
Verify login with certificate signed by trusted CA |
Authentication successful |
20 |
Auth Test 20 |
Verify login with certificate signed by unknown CA |
Authentication failed |
21 |
Auth Test 21 |
Verify login with mismatched certificate CN |
Authentication failed |
22 |
Auth Test 22 |
Verify login with certificate missing SAN |
Authentication failed |
23 |
Auth Test 23 |
Verify login with certificate chain validation |
Authentication successful |
24 |
Auth Test 24 |
Verify login with certificate containing unsupported key |
Authentication failed |
25 |
Auth Test 25 |
Verify login with certificate using RSA key |
Authentication successful |
26 |
Auth Test 26 |
Verify login with certificate using ECC key |
Authentication successful |
27 |
Auth Test 27 |
Verify login with certificate using DSA key |
Authentication failed |
28 |
Auth Test 28 |
Verify login with certificate using SHA-1 signature |
Authentication failed |
29 |
Auth Test 29 |
Verify login with certificate using SHA-256 signature |
Authentication successful |
30 |
Auth Test 30 |
Verify login with certificate using SHA-512 signature |
Authentication successful |
31 |
Auth Test 31 |
Verify login with certificate using TLS 1.2 |
Authentication successful |
32 |
Auth Test 32 |
Verify login with certificate using TLS 1.3 |
Authentication successful |
33 |
Auth Test 33 |
Verify login with certificate using SSLv3 |
Authentication failed |
34 |
Auth Test 34 |
Verify login with certificate using expired TLS session |
Authentication failed |
35 |
Auth Test 35 |
Verify login with certificate using resumed TLS session |
Authentication successful |
36 |
Auth Test 36 |
Verify login with certificate using renegotiated TLS session |
Authentication successful |
37 |
Auth Test 37 |
Verify login with certificate using mutual TLS |
Authentication successful |
38 |
Auth Test 38 |
Verify login with certificate using one-way TLS |
Authentication successful |
39 |
Auth Test 39 |
Verify login with certificate using revoked CA |
Authentication failed |
40 |
Auth Test 40 |
Verify login with certificate using intermediate CA |
Authentication successful |
41 |
Auth Test 41 |
Verify login with certificate using root CA only |
Authentication successful |
42 |
Auth Test 42 |
Verify login with certificate using incorrect key usage extension |
Authentication failed |
43 |
Auth Test 43 |
Verify login with certificate using correct key usage extension |
Authentication successful |
44 |
Auth Test 44 |
Verify login with certificate using OCSP validation |
Authentication successful |
45 |
Auth Test 45 |
Verify login with certificate using CRL validation |
Authentication successful |
46 |
Auth Test 46 |
Verify login with certificate using invalid CRL |
Authentication failed |
47 |
Auth Test 47 |
Verify login with certificate using invalid OCSP |
Authentication failed |
48 |
Auth Test 48 |
Verify login with certificate using valid SAN |
Authentication successful |
49 |
Auth Test 49 |
Verify login with certificate using invalid SAN |
Authentication failed |
50 |
Auth Test 50 |
Verify login with certificate using correct CN and SAN |
Authentication successful |
Explicit and Implicit Modes - Testcases
S.No |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Mode Test 1 |
Verify connection using Explicit FTPS on port 21 |
Connection established after AUTH TLS |
2 |
Mode Test 2 |
Verify connection using Implicit FTPS on port 990 |
Connection established with immediate encryption |
3 |
Mode Test 3 |
Verify Explicit FTPS with AUTH TLS command |
AUTH TLS accepted and session encrypted |
4 |
Mode Test 4 |
Verify Implicit FTPS without AUTH command |
Connection encrypted from start |
5 |
Mode Test 5 |
Verify Explicit FTPS with invalid AUTH command |
Connection rejected |
6 |
Mode Test 6 |
Verify Implicit FTPS with invalid port |
Connection failed |
7 |
Mode Test 7 |
Verify Explicit FTPS with firewall |
Connection established through firewall |
8 |
Mode Test 8 |
Verify Implicit FTPS with firewall |
Connection established through firewall |
9 |
Mode Test 9 |
Verify Explicit FTPS with NAT |
Connection established through NAT |
10 |
Mode Test 10 |
Verify Implicit FTPS with NAT |
Connection established through NAT |
11 |
Mode Test 11 |
Verify Explicit FTPS with passive mode |
Passive mode works with encryption |
12 |
Mode Test 12 |
Verify Implicit FTPS with passive mode |
Passive mode works with encryption |
13 |
Mode Test 13 |
Verify Explicit FTPS with active mode |
Active mode works with encryption |
14 |
Mode Test 14 |
Verify Implicit FTPS with active mode |
Active mode works with encryption |
15 |
Mode Test 15 |
Verify Explicit FTPS with invalid certificate |
Connection rejected |
16 |
Mode Test 16 |
Verify Implicit FTPS with invalid certificate |
Connection rejected |
17 |
Mode Test 17 |
Verify Explicit FTPS with valid certificate |
Connection established securely |
18 |
Mode Test 18 |
Verify Implicit FTPS with valid certificate |
Connection established securely |
19 |
Mode Test 19 |
Verify Explicit FTPS with expired certificate |
Connection rejected |
20 |
Mode Test 20 |
Verify Implicit FTPS with expired certificate |
Connection rejected |
21 |
Mode Test 21 |
Verify Explicit FTPS with revoked certificate |
Connection rejected |
22 |
Mode Test 22 |
Verify Implicit FTPS with revoked certificate |
Connection rejected |
23 |
Mode Test 23 |
Verify Explicit FTPS with TLS 1.2 |
Connection established using TLS 1.2 |
24 |
Mode Test 24 |
Verify Implicit FTPS with TLS 1.2 |
Connection established using TLS 1.2 |
25 |
Mode Test 25 |
Verify Explicit FTPS with TLS 1.3 |
Connection established using TLS 1.3 |
26 |
Mode Test 26 |
Verify Implicit FTPS with TLS 1.3 |
Connection established using TLS 1.3 |
27 |
Mode Test 27 |
Verify Explicit FTPS with SSLv3 |
Connection rejected |
28 |
Mode Test 28 |
Verify Implicit FTPS with SSLv3 |
Connection rejected |
29 |
Mode Test 29 |
Verify Explicit FTPS with large file transfer |
File transferred securely |
30 |
Mode Test 30 |
Verify Implicit FTPS with large file transfer |
File transferred securely |
31 |
Mode Test 31 |
Verify Explicit FTPS with multiple clients |
All clients connect securely |
32 |
Mode Test 32 |
Verify Implicit FTPS with multiple clients |
All clients connect securely |
33 |
Mode Test 33 |
Verify Explicit FTPS with concurrent transfers |
Transfers handled securely |
34 |
Mode Test 34 |
Verify Implicit FTPS with concurrent transfers |
Transfers handled securely |
35 |
Mode Test 35 |
Verify Explicit FTPS with interrupted session |
Session resumes or fails securely |
36 |
Mode Test 36 |
Verify Implicit FTPS with interrupted session |
Session resumes or fails securely |
37 |
Mode Test 37 |
Verify Explicit FTPS with resumed session |
Session resumes securely |
38 |
Mode Test 38 |
Verify Implicit FTPS with resumed session |
Session resumes securely |
39 |
Mode Test 39 |
Verify Explicit FTPS with invalid AUTH sequence |
Connection rejected |
40 |
Mode Test 40 |
Verify Implicit FTPS with invalid handshake |
Connection rejected |
41 |
Mode Test 41 |
Verify Explicit FTPS with logging enabled |
Session logged without exposing sensitive data |
42 |
Mode Test 42 |
Verify Implicit FTPS with logging enabled |
Session logged without exposing sensitive data |
43 |
Mode Test 43 |
Verify Explicit FTPS with antivirus scanning |
File scanned without breaking encryption |
44 |
Mode Test 44 |
Verify Implicit FTPS with antivirus scanning |
File scanned without breaking encryption |
45 |
Mode Test 45 |
Verify Explicit FTPS with IDS |
No plaintext data detected |
46 |
Mode Test 46 |
Verify Implicit FTPS with IDS |
No plaintext data detected |
47 |
Mode Test 47 |
Verify Explicit FTPS with proxy |
Connection established securely through proxy |
48 |
Mode Test 48 |
Verify Implicit FTPS with proxy |
Connection established securely through proxy |
49 |
Mode Test 49 |
Verify Explicit FTPS with load balancer |
Load balancer handles encrypted sessions |
50 |
Mode Test 50 |
Verify Implicit FTPS with load balancer |
Load balancer handles encrypted sessions |
Data Integrity - Testcases
S.No |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Integrity Test 1 |
Verify file checksum before and after transfer |
Checksums match |
2 |
Integrity Test 2 |
Verify file hash (SHA-256) before and after transfer |
Hashes match |
3 |
Integrity Test 3 |
Verify file content is not altered during transfer |
File content remains unchanged |
4 |
Integrity Test 4 |
Verify file size before and after transfer |
File sizes match |
5 |
Integrity Test 5 |
Verify transfer of binary file |
Binary file remains intact |
6 |
Integrity Test 6 |
Verify transfer of text file |
Text file content remains unchanged |
7 |
Integrity Test 7 |
Verify transfer of large file |
File integrity maintained |
8 |
Integrity Test 8 |
Verify transfer of compressed file |
File decompresses successfully |
9 |
Integrity Test 9 |
Verify transfer of encrypted file |
File decrypts successfully |
10 |
Integrity Test 10 |
Verify transfer of image file |
Image opens without corruption |
11 |
Integrity Test 11 |
Verify transfer of video file |
Video plays without corruption |
12 |
Integrity Test 12 |
Verify transfer of audio file |
Audio plays without corruption |
13 |
Integrity Test 13 |
Verify file integrity with TLS 1.2 |
File integrity maintained |
14 |
Integrity Test 14 |
Verify file integrity with TLS 1.3 |
File integrity maintained |
15 |
Integrity Test 15 |
Verify file integrity with interrupted session |
File resumes or fails securely |
16 |
Integrity Test 16 |
Verify file integrity with resumed session |
File resumes with integrity |
17 |
Integrity Test 17 |
Verify file integrity with concurrent transfers |
All files maintain integrity |
18 |
Integrity Test 18 |
Verify file integrity with multiple clients |
All clients receive unaltered files |
19 |
Integrity Test 19 |
Verify file integrity with passive mode |
File integrity maintained |
20 |
Integrity Test 20 |
Verify file integrity with active mode |
File integrity maintained |
21 |
Integrity Test 21 |
Verify file integrity with firewall |
File integrity maintained |
22 |
Integrity Test 22 |
Verify file integrity with NAT |
File integrity maintained |
23 |
Integrity Test 23 |
Verify file integrity with proxy |
File integrity maintained |
24 |
Integrity Test 24 |
Verify file integrity with antivirus scanning |
File scanned without corruption |
25 |
Integrity Test 25 |
Verify file integrity with IDS |
No tampering detected |
26 |
Integrity Test 26 |
Verify file integrity with load balancer |
File integrity maintained |
27 |
Integrity Test 27 |
Verify file integrity with high latency |
File integrity maintained |
28 |
Integrity Test 28 |
Verify file integrity with packet loss |
File integrity maintained or transfer fails gracefully |
29 |
Integrity Test 29 |
Verify file integrity with retry mechanism |
File integrity maintained after retry |
30 |
Integrity Test 30 |
Verify file integrity with checksum validation tool |
Tool confirms file integrity |
31 |
Integrity Test 31 |
Verify file integrity with hash mismatch |
Transfer flagged or rejected |
32 |
Integrity Test 32 |
Verify file integrity with corrupted file |
Corruption detected |
33 |
Integrity Test 33 |
Verify file integrity with tampered file |
Tampering detected |
34 |
Integrity Test 34 |
Verify file integrity with FTP fallback disabled |
No fallback to insecure FTP |
35 |
Integrity Test 35 |
Verify file integrity with TLS renegotiation |
File integrity maintained |
36 |
Integrity Test 36 |
Verify file integrity with session timeout |
File transfer fails or resumes securely |
37 |
Integrity Test 37 |
Verify file integrity with session reuse |
File integrity maintained |
38 |
Integrity Test 38 |
Verify file integrity with expired certificate |
Transfer rejected |
39 |
Integrity Test 39 |
Verify file integrity with revoked certificate |
Transfer rejected |
40 |
Integrity Test 40 |
Verify file integrity with valid certificate |
File integrity maintained |
41 |
Integrity Test 41 |
Verify file integrity with invalid certificate |
Transfer rejected |
42 |
Integrity Test 42 |
Verify file integrity with TLS downgrade attempt |
Downgrade blocked, integrity preserved |
43 |
Integrity Test 43 |
Verify file integrity with TLS session hijack attempt |
Session terminated, integrity preserved |
44 |
Integrity Test 44 |
Verify file integrity with man-in-the-middle attack |
Attack detected, transfer blocked |
45 |
Integrity Test 45 |
Verify file integrity with checksum logging |
Checksums logged and verified |
46 |
Integrity Test 46 |
Verify file integrity with hash logging |
Hashes logged and verified |
47 |
Integrity Test 47 |
Verify file integrity with file rename during transfer |
File integrity preserved or transfer fails |
48 |
Integrity Test 48 |
Verify file integrity with file deletion during transfer |
Transfer fails gracefully |
49 |
Integrity Test 49 |
Verify file integrity with file permission change during transfer |
Transfer fails or completes securely |
50 |
Integrity Test 50 |
Verify file integrity with simultaneous upload and download |
Both operations maintain file integrity |
Firewall-Friendly - Testcases
S.No |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Firewall Test 1 |
Verify Explicit FTPS connection through firewall |
Connection established successfully |
2 |
Firewall Test 2 |
Verify Implicit FTPS connection through firewall |
Connection established successfully |
3 |
Firewall Test 3 |
Verify firewall allows port 21 for Explicit FTPS |
Port 21 accessible and connection succeeds |
4 |
Firewall Test 4 |
Verify firewall allows port 990 for Implicit FTPS |
Port 990 accessible and connection succeeds |
5 |
Firewall Test 5 |
Verify firewall blocks non-FTPS ports |
Connection blocked as expected |
6 |
Firewall Test 6 |
Verify firewall allows passive mode data ports |
Passive mode data ports open and usable |
7 |
Firewall Test 7 |
Verify firewall blocks passive mode data ports |
Data connection fails as expected |
8 |
Firewall Test 8 |
Verify firewall allows active mode |
Active mode connection succeeds |
9 |
Firewall Test 9 |
Verify firewall blocks active mode |
Active mode connection fails |
10 |
Firewall Test 10 |
Verify firewall with FTPS control channel encrypted |
Control channel encrypted and allowed |
11 |
Firewall Test 11 |
Verify firewall with FTPS data channel encrypted |
Data channel encrypted and allowed |
12 |
Firewall Test 12 |
Verify firewall with FTPS session timeout |
Session times out as configured |
13 |
Firewall Test 13 |
Verify firewall with FTPS session keep-alive |
Session remains active |
14 |
Firewall Test 14 |
Verify firewall with FTPS connection retry |
Retry succeeds if firewall allows |
15 |
Firewall Test 15 |
Verify firewall with FTPS connection drop |
Connection dropped as expected |
16 |
Firewall Test 16 |
Verify firewall with FTPS connection logging |
Connection logged correctly |
17 |
Firewall Test 17 |
Verify firewall with FTPS connection inspection |
Encrypted traffic passes inspection |
18 |
Firewall Test 18 |
Verify firewall with FTPS and NAT |
Connection succeeds through NAT |
19 |
Firewall Test 19 |
Verify firewall with FTPS and proxy |
Connection succeeds through proxy |
20 |
Firewall Test 20 |
Verify firewall with FTPS and IDS |
No plaintext data detected |
21 |
Firewall Test 21 |
Verify firewall with FTPS and antivirus |
File scanned without breaking encryption |
22 |
Firewall Test 22 |
Verify firewall with FTPS and load balancer |
Load balancer handles encrypted sessions |
23 |
Firewall Test 23 |
Verify firewall with FTPS and port forwarding |
Port forwarding works correctly |
24 |
Firewall Test 24 |
Verify firewall with FTPS and port translation |
Port translation handled correctly |
25 |
Firewall Test 25 |
Verify firewall with FTPS and IP whitelisting |
Only whitelisted IPs can connect |
26 |
Firewall Test 26 |
Verify firewall with FTPS and IP blacklisting |
Blacklisted IPs blocked |
27 |
Firewall Test 27 |
Verify firewall with FTPS and domain filtering |
Domain filtering does not block FTPS |
28 |
Firewall Test 28 |
Verify firewall with FTPS and DNS filtering |
DNS filtering does not block FTPS |
29 |
Firewall Test 29 |
Verify firewall with FTPS and TLS 1.2 |
TLS 1.2 traffic allowed |
30 |
Firewall Test 30 |
Verify firewall with FTPS and TLS 1.3 |
TLS 1.3 traffic allowed |
31 |
Firewall Test 31 |
Verify firewall with FTPS and SSLv3 |
SSLv3 traffic blocked |
32 |
Firewall Test 32 |
Verify firewall with FTPS and certificate validation |
Certificate validated and connection allowed |
33 |
Firewall Test 33 |
Verify firewall with FTPS and expired certificate |
Connection blocked due to expired cert |
34 |
Firewall Test 34 |
Verify firewall with FTPS and revoked certificate |
Connection blocked due to revoked cert |
35 |
Firewall Test 35 |
Verify firewall with FTPS and self-signed certificate |
Connection blocked or warned |
36 |
Firewall Test 36 |
Verify firewall with FTPS and trusted certificate |
Connection allowed |
37 |
Firewall Test 37 |
Verify firewall with FTPS and certificate chain |
Chain validated and connection allowed |
38 |
Firewall Test 38 |
Verify firewall with FTPS and OCSP |
OCSP check passed and connection allowed |
39 |
Firewall Test 39 |
Verify firewall with FTPS and CRL |
CRL check passed and connection allowed |
40 |
Firewall Test 40 |
Verify firewall with FTPS and invalid CRL |
Connection blocked |
41 |
Firewall Test 41 |
Verify firewall with FTPS and invalid OCSP |
Connection blocked |
42 |
Firewall Test 42 |
Verify firewall with FTPS and session reuse |
Session reused and allowed |
43 |
Firewall Test 43 |
Verify firewall with FTPS and session timeout |
Session expired as expected |
44 |
Firewall Test 44 |
Verify firewall with FTPS and session renegotiation |
Renegotiation allowed |
45 |
Firewall Test 45 |
Verify firewall with FTPS and large file transfer |
File transferred successfully |
46 |
Firewall Test 46 |
Verify firewall with FTPS and concurrent transfers |
All transfers succeed |
47 |
Firewall Test 47 |
Verify firewall with FTPS and multiple clients |
All clients connect successfully |
48 |
Firewall Test 48 |
Verify firewall with FTPS and IPv4 |
IPv4 traffic allowed |
49 |
Firewall Test 49 |
Verify firewall with FTPS and IPv6 |
IPv6 traffic allowed |
50 |
Firewall Test 50 |
Verify firewall with FTPS and port scan detection |
Port scan blocked, FTPS unaffected |
Backward Compatibility - Testcases
S.No |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Legacy FTP Client |
Connect using a non-FTPS client |
Server allows fallback or denies with clear message |
2 |
FTPS Client to FTP Server |
FTPS client connects to plain FTP server |
Connection fails gracefully |
3 |
AUTH TLS Unsupported |
Server does not support AUTH TLS |
Client receives 502 or similar |
4 |
AUTH SSL Fallback |
Client tries AUTH SSL if AUTH TLS fails |
Server accepts AUTH SSL if supported |
5 |
PBSZ Optional |
Server accepts PBSZ 0 as per RFC |
Server responds with 200 OK |
6 |
PROT C Support |
Server accepts PROT C (clear data) |
Server responds with 200 OK |
7 |
PROT P Support |
Server accepts PROT P (private data) |
Server responds with 200 OK |
8 |
PROT S Unsupported |
Server rejects PROT S if not supported |
Server responds with 536 |
9 |
USER Command |
Legacy USER command works |
Server responds with 331 |
10 |
PASS Command |
Legacy PASS command works |
Server responds with 230 |
11 |
LIST Command |
LIST works over encrypted and unencrypted channels |
Directory listing is returned |
12 |
RETR Command |
RETR works with PROT C and PROT P |
File is downloaded |
13 |
STOR Command |
STOR works with PROT C and PROT P |
File is uploaded |
14 |
QUIT Command |
QUIT terminates session cleanly |
Server responds with 221 |
15 |
PORT Command |
Active mode works with legacy clients |
Data connection established |
16 |
PASV Command |
Passive mode works with legacy clients |
Data connection established |
17 |
FEAT Command |
Server lists supported features |
Client parses features |
18 |
Unsupported FEAT |
Client handles unknown features |
Client ignores or logs |
19 |
TLS 1.0 Support |
Server supports TLS 1.0 for legacy clients |
Connection established |
20 |
TLS 1.2 Support |
Server supports TLS 1.2 |
Connection established |
21 |
TLS 1.3 Support |
Server supports TLS 1.3 |
Connection established |
22 |
SSLv3 Rejection |
Server rejects SSLv3 |
Connection fails securely |
23 |
Anonymous Login |
Server allows anonymous login |
Login succeeds |
24 |
IPv4 Compatibility |
Server supports IPv4 |
Connection succeeds |
25 |
IPv6 Compatibility |
Server supports IPv6 |
Connection succeeds |
26 |
Resume Download |
REST command works for RETR |
Download resumes |
27 |
Resume Upload |
REST command works for STOR |
Upload resumes |
28 |
File Permissions |
Legacy clients can set permissions |
Server accepts SITE CHMOD |
29 |
Directory Navigation |
CWD and CDUP work as expected |
Directory changes |
30 |
File Deletion |
DELE command works |
File is deleted |
31 |
Directory Creation |
MKD command works |
Directory is created |
32 |
Directory Removal |
RMD command works |
Directory is removed |
33 |
File Rename |
RNFR and RNTO work |
File is renamed |
34 |
Timezone Handling |
Server handles legacy timezone formats |
Timestamps are correct |
35 |
ASCII Mode |
TYPE A works for text files |
File is transferred in ASCII |
36 |
Binary Mode |
TYPE I works for binary files |
File is transferred in binary |
37 |
Legacy Clients with No TLS |
Server denies or downgrades securely |
Connection fails or downgrades |
38 |
Mixed Mode Transfers |
Switch between PROT C and PROT P |
Server handles correctly |
39 |
Session Timeout |
Legacy timeout settings respected |
Session closes after timeout |
40 |
Command Pipelining |
Legacy clients send commands in sequence |
Server handles correctly |
41 |
Unsupported Commands |
Server handles unknown commands |
Responds with 500 or 502 |
42 |
File Size Limit |
Large file uploads/downloads work |
Transfer completes |
43 |
Filename Encoding |
Legacy encoding (e.g., ISO-8859-1) supported |
Filenames are readable |
44 |
UTF-8 Support |
Server supports UTF-8 |
Filenames are correct |
45 |
Control Channel Only |
Server handles control channel without data |
Responds appropriately |
46 |
Encrypted Control, Clear Data |
Server supports mixed mode |
Works as expected |
47 |
Encrypted Control and Data |
Server supports full encryption |
Works as expected |
48 |
Logging Compatibility |
Legacy log formats are supported |
Logs are readable |
49 |
Client Certificate Optional |
Server allows login without client cert |
Login succeeds |
50 |
Client Certificate Required |
Server enforces client cert |
Login fails without cert |
Granular Access Control - Testcases
S.No |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Read-Only User |
User with read-only access tries to upload |
Upload is denied |
2 |
Write-Only User |
User with write-only access tries to download |
Download is denied |
3 |
Admin Access |
Admin user accesses all directories |
Access is granted |
4 |
Guest Access |
Guest user accesses restricted folder |
Access is denied |
5 |
Group-Based Access |
User inherits permissions from group |
Access is granted/denied based on group |
6 |
Directory-Level Access |
User has access to one directory only |
Other directories are inaccessible |
7 |
File-Level Access |
User can access only specific files |
Other files are hidden or denied |
8 |
Time-Based Access |
User allowed access only during work hours |
Access denied outside allowed time |
9 |
IP-Based Access |
User allowed from specific IP range |
Access denied from other IPs |
10 |
Command Restriction |
User restricted from using DELE |
Delete command is denied |
11 |
Upload Quota |
User exceeds upload quota |
Upload is denied |
12 |
Download Quota |
User exceeds download quota |
Download is denied |
13 |
File Type Restriction |
User restricted from uploading .exe files |
Upload is denied |
14 |
File Size Limit |
User tries to upload large file |
Upload is denied |
15 |
Hidden Files |
User cannot see hidden files |
Hidden files are not listed |
16 |
Symlink Access |
User restricted from following symlinks |
Access is denied |
17 |
Recursive Access |
User cannot access subdirectories |
Access to subfolders is denied |
18 |
Read Access to Logs |
User allowed to read logs only |
Write/delete denied |
19 |
Write Access to Temp |
User allowed to write to /tmp only |
Other directories are denied |
20 |
Delete Restriction |
User cannot delete files |
DELE command is denied |
21 |
Rename Restriction |
User cannot rename files |
RNFR/RNTO denied |
22 |
Directory Creation |
User allowed to create directories |
MKD succeeds |
23 |
Directory Deletion |
User restricted from deleting directories |
RMD denied |
24 |
File Overwrite |
User cannot overwrite existing files |
Upload fails if file exists |
25 |
File Append |
User allowed to append only |
APPE succeeds, STOR denied |
26 |
Session Timeout Policy |
User session expires after 10 mins |
Session is closed |
27 |
Concurrent Session Limit |
User exceeds allowed sessions |
New session is denied |
28 |
Role-Based Access |
Role determines access level |
Access matches role |
29 |
MFA Enforcement |
User must use MFA to access sensitive files |
Access denied without MFA |
30 |
Logging Access |
Only admins can view logs |
Others are denied |
31 |
Access Denied Logging |
All denied attempts are logged |
Log entry created |
32 |
Access Granted Logging |
All granted accesses are logged |
Log entry created |
33 |
Temporary Access |
User has temporary access to folder |
Access expires after time |
34 |
Expired Account |
User account is expired |
Login denied |
35 |
Disabled Account |
User account is disabled |
Login denied |
36 |
Password Expiry |
User password expired |
Login denied |
37 |
Password Change Required |
User must change password on login |
Prompted to change |
38 |
Directory Listing Restriction |
User cannot list certain directories |
LIST denied |
39 |
File Visibility Filter |
User sees only permitted files |
Others are hidden |
40 |
Access Control Inheritance |
Subfolders inherit parent permissions |
Access matches parent |
41 |
Access Control Override |
Explicit deny overrides allow |
Access denied |
42 |
Access Control Priority |
Specific rules override general ones |
Most specific rule applies |
43 |
Access Control Sync |
Changes to access rules take effect immediately |
New rules enforced |
44 |
Access Control Audit Trail |
All access changes are logged |
Audit log updated |
45 |
Access Control Backup |
Access rules are backed up |
Backup file created |
46 |
Access Control Restore |
Access rules restored from backup |
Rules restored correctly |
47 |
Access Control Export |
Rules exported to file |
Export file created |
48 |
Access Control Import |
Rules imported from file |
Rules applied correctly |
49 |
Access Control Testing |
Simulate access for a user |
Simulation result shown |
50 |
Access Control API |
Access rules managed via API |
API responds correctly |
Logging and Auditing - Testcases
S.No |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Successful Login |
Log a successful user login |
Entry created with timestamp and username |
2 |
Failed Login |
Log a failed login attempt |
Entry includes reason and source IP |
3 |
Anonymous Login |
Log anonymous access |
Entry includes “anonymous” user |
4 |
File Upload |
Log file upload event |
Entry includes filename, size, user |
5 |
File Download |
Log file download event |
Entry includes filename, size, user |
6 |
File Deletion |
Log file deletion |
Entry includes filename and user |
7 |
File Rename |
Log file rename operation |
Entry includes old and new names |
8 |
Directory Creation |
Log directory creation |
Entry includes path and user |
9 |
Directory Deletion |
Log directory removal |
Entry includes path and user |
10 |
Permission Denied |
Log access denial |
Entry includes command and reason |
11 |
Session Start |
Log session start |
Entry includes session ID and user |
12 |
Session End |
Log session termination |
Entry includes duration and reason |
13 |
TLS Handshake |
Log TLS handshake success/failure |
Entry includes protocol version |
14 |
Command Execution |
Log all FTP commands issued |
Entry includes command and user |
15 |
Passive Mode |
Log PASV command usage |
Entry includes IP and port |
16 |
Active Mode |
Log PORT command usage |
Entry includes IP and port |
17 |
IP Address Logging |
Log client IP address |
Entry includes IP and geolocation (if available) |
18 |
User Agent Logging |
Log client software info |
Entry includes FTP client name/version |
19 |
File Access Time |
Log file access timestamps |
Entry includes access time |
20 |
File Modification Time |
Log file modification events |
Entry includes timestamp and user |
21 |
File Size Change |
Log file size before and after upload |
Entry includes delta |
22 |
Quota Exceeded |
Log when user exceeds quota |
Entry includes limit and attempted size |
23 |
Concurrent Sessions |
Log multiple sessions per user |
Entry includes session count |
24 |
Session Timeout |
Log session timeout events |
Entry includes idle time |
25 |
Authentication Method |
Log method used (password, cert) |
Entry includes method type |
26 |
MFA Usage |
Log multi-factor authentication events |
Entry includes method and result |
27 |
Certificate Validation |
Log client certificate validation |
Entry includes cert details |
28 |
Encryption Level |
Log encryption protocol used |
Entry includes TLS version and cipher |
29 |
Access Control Violation |
Log denied access due to ACL |
Entry includes rule and user |
30 |
File Integrity Check |
Log checksum verification |
Entry includes result |
31 |
Audit Trail Export |
Export audit logs |
File is generated and verified |
32 |
Audit Trail Import |
Import audit logs |
Logs are restored correctly |
33 |
Log Rotation |
Logs rotate after size/time threshold |
Old logs archived |
34 |
Log Retention Policy |
Logs retained per policy |
Older logs purged or archived |
35 |
Log Tampering Detection |
Detect unauthorized log changes |
Alert or hash mismatch logged |
36 |
Log Encryption |
Logs are encrypted at rest |
Encrypted files verified |
37 |
Log Access Control |
Only authorized users can view logs |
Unauthorized access denied |
38 |
Log Viewing |
Admin views logs via interface |
Logs displayed correctly |
39 |
Log Filtering |
Filter logs by user/date/event |
Filtered results shown |
40 |
Log Search |
Search logs for specific keyword |
Matching entries returned |
41 |
Log Archiving |
Archive old logs |
Archive file created |
42 |
Log Compression |
Compress logs for storage |
Compressed file verified |
43 |
Log Backup |
Backup logs to external storage |
Backup completed successfully |
44 |
Log Restore |
Restore logs from backup |
Logs restored correctly |
45 |
Real-Time Logging |
Logs updated in real-time |
New events appear instantly |
46 |
Log Format Compliance |
Logs follow standard format (e.g., JSON, syslog) |
Format validated |
47 |
Log Timestamp Accuracy |
Timestamps are accurate and synced |
Matches system time |
48 |
Log Integrity Hashing |
Logs include hash for integrity |
Hash verified |
49 |
Log Alerting |
Alerts triggered on suspicious activity |
Alert sent to admin |
50 |
Log Review Audit |
Periodic review of logs by auditor |
Review report generated |
Reference links