Documentation » Getting Started » Protocols »

Transport Layer Security

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security over the Internet. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties.1


TLS/SSL Server Certificates

Much like HTTPS, but unlike SSH, FTPS and WebDAVS servers must provide a public key certificate. This certificate must be signed by a certificate authority.

If it is not, WinSCP will generate a warning stating that the certificate is not valid. Whether or not to trust such certificate is your choice. If you are connecting within a company network, you might feel that all the network users are on the same side and spoofing attacks are unlikely, so you might choose to trust the certificate without checking it. If you are connecting across a hostile network (such as the Internet), you should check with your system administrator, perhaps by telephone or in person.

Learn also how to accept certificate automatically in script.

TLS/SSL Client Certificates

The FTPS and WebDAVS servers may optionally require user to authenticate with a client certificate.

The client certificate typically needs to be signed by a certificate authority trusted by the server.

Supported client certificate file formats are:

  • Personal Information Exchange – PCKS #12 (.pfx or .p12);
  • Base64 encoded PEM X.509 (.pem or .key), either:
    • containing both private key and the certificate;
    • containing a private key only, with certificate in a separate file. The certificate needs to have the same base name as the private key, with .crt or .cer extensions and be in the Base64 encoded PEM X.509 format or binary DER format.

Supported Cryptographic Protocols and Cipher Suites

WinSCP supports TLS 1.0–1.3. The TLS 1.0 and 1.1 are disabled by default, to protect you from their known serious vulnerabilities. Obsolete SSL of any version is not supported.


See list of supported cipher suites.

  1. The text is partially copied from Wikipedia article on Transport Layer Security. The text is licensed under GNU Free Documentation License.Back

Last modified: by martin