What is the difference between implicit TLS and explicit TLS?

Previous  Top  Next

These are two different approaches to TLS securing protocols. 


In implicit TLS, the following is done:


1.A client connects to a different port than for the regular non-TLS version of the protocol.  For example, the non-encrypted POP3 clients use port 110.  For implicit TLS with POP3, you connect to port 995.
2.You immediately negotiate TLS with the server.
3.Except for the TLS encryption, your session is exactly the same as a regular POP3 session.
4.The TLS encryption is used throughout the entire connection.


Often implicit versions of protocols are known as POP3S (or SPOP3), SNEWS, HTTPS, and FTPS (or FTPS).


In explicit TLS, the following is done:


1.You connect to the POP3 server on port 110 exactly as you would with non-encrypted POP3.
2.You issue a command to the server indicating that you wish to being TLS negotiation.  In POP3, you issue a STLS command and get an +OK reply.
3.You then negotiate TLS with the server.
4.The TLS often lasts throughout an entire session.  In explicit TLS FTP, a REIN will reset the TLS encryption and the control channel returns to a non-encrypted state.


Currently, the IETF (Internet Engineering Task Force) favors explicit TLS protocols because most implicit TLS protocols require a separate port and the reserved port numbers (1-1024) have already been allocated for various protocols.  There are some implicit TLS protocols in use today such as SNEWS and there are still software implementations based on implicit TLS protocols that are still in use today even though explicit TLS protocol versions are available.


See also:


How do I use FTP with SSL?