FTP reply code 234 is returned in response to an AUTH TLS (or AUTH SSL) command, confirming the server is ready to negotiate a TLS encrypted connection. After receiving 234, the client initiates a TLS handshake on the existing control connection. Once the handshake completes, all subsequent commands and responses are encrypted. This is explicit FTPS — the connection starts as plaintext on port 21 and upgrades to TLS, as opposed to implicit FTPS on port 990 where TLS is negotiated before any FTP communication. After the TLS handshake, the client should send PBSZ 0 and PROT P to also encrypt the data connection.
The client sent AUTH TLS to upgrade the plaintext FTP connection to encrypted. The server supports FTPS and is ready for the TLS handshake. After this, the control connection is encrypted.
Some servers are configured to require TLS before accepting USER and PASS commands. The client must send AUTH TLS and complete the handshake before logging in.
After receiving 234, your FTP client should automatically perform the TLS handshake. If it fails, check that the server's TLS certificate is valid and trusted.
openssl s_client -connect ftp.example.com:21 -starttls ftp
After the control connection is encrypted, send PBSZ 0 (Protection Buffer Size) and PROT P (Protection Level Private) to also encrypt the data connection. Without PROT P, file transfers will still be in plaintext.
If the TLS handshake fails with a certificate error, the server's certificate may be self-signed or expired. Use openssl to inspect the certificate chain.
openssl s_client -connect ftp.example.com:21 -starttls ftp -showcerts
The FTP server is ready and accepting connections. This is the greeting banner sent upon connection.
The user is not logged in. Authentication is required before this command can be executed.
The FTP command was understood and executed successfully.