Port 443 is the standard port for HTTPS — HTTP encrypted with TLS. When you type https://example.com in a browser, it connects to port 443 by default. But TLS isn’t limited to port 443. Any TCP port can carry TLS-encrypted traffic. Different services use different ports for their TLS-encrypted variants.
Common TLS Ports
| Port | Protocol | Plaintext Equivalent | Service |
|---|---|---|---|
| 443 | HTTPS | 80 (HTTP) | Web traffic, APIs, webhooks |
| 8443 | HTTPS (alternate) | 8080 | Admin panels, application servers |
| 636 | LDAPS | 389 (LDAP) | Active Directory secure queries |
| 993 | IMAPS | 143 (IMAP) | Email retrieval (encrypted) |
| 995 | POP3S | 110 (POP3) | Email retrieval (legacy) |
| 465 | SMTPS (implicit) | 25 (SMTP) | Email submission (encrypted) |
| 587 | SMTP + STARTTLS | 25 (SMTP) | Email submission (upgrade to TLS) |
| 5671 | AMQPS | 5672 (AMQP) | RabbitMQ encrypted |
| 6443 | Kubernetes API | — | K8s API server (always TLS) |
| 2376 | Docker TLS | 2375 (Docker) | Docker daemon encrypted |
| 9093 | Prometheus HTTPS | 9090 | Prometheus with TLS |
How TLS on Port 443 Works
1. Client initiates TCP connection to server:443
2. TCP handshake completes (SYN → SYN-ACK → ACK)
3. TLS handshake begins immediately (ClientHello)
4. Server presents certificate, key exchange occurs
5. Encrypted HTTP traffic flows
This is "implicit TLS" — TLS starts immediately on connection.
No plaintext is ever sent on port 443.Implicit TLS vs STARTTLS
Implicit TLS (port 443, 636, 993):
- Connection is TLS from the first byte
- Dedicated port for encrypted traffic
- Simpler — no upgrade negotiation
STARTTLS (port 587, 389):
- Connection starts as plaintext
- Client sends
STARTTLScommand to upgrade to TLS - Same port handles both plaintext and encrypted
- Vulnerable to downgrade attacks (attacker strips STARTTLS command)
Best practice: Use implicit TLS (dedicated TLS ports) wherever possible. STARTTLS is a legacy compatibility mechanism.
Configuring TLS on Different Ports
Nginx (Port 443 — Standard)
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/ssl/certs/example.com.pem;
ssl_certificate_key /etc/ssl/private/example.com.key;
}Nginx (Port 8443 — Admin Panel)
server {
listen 8443 ssl;
server_name admin.example.com;
ssl_certificate /etc/ssl/certs/admin.pem;
ssl_certificate_key /etc/ssl/private/admin.key;
# Restrict access
allow 10.0.0.0/8;
deny all;
}PostgreSQL (Port 5432 with TLS)
# postgresql.conf
ssl = on
ssl_cert_file = '/etc/ssl/certs/db.pem'
ssl_key_file = '/etc/ssl/private/db.key'
# Client connects: psql "host=db.example.com sslmode=verify-full"Kubernetes API Server (Port 6443)
# Always TLS — no plaintext option
kubectl cluster-info
# Kubernetes control plane is running at https://10.0.0.1:6443
# Certificate: /etc/kubernetes/pki/apiserver.crtScanning for TLS on Non-Standard Ports
# Scan common TLS ports
nmap --script ssl-cert -p 443,8443,636,993,995,5671,6443,9443 target.com
# Check specific port for TLS
openssl s_client -connect target.com:8443
# Scan a range for any TLS service
nmap --script ssl-enum-ciphers -p 1-10000 target.comPort 443 and Firewalls
Port 443 is almost universally allowed through firewalls (because blocking HTTPS breaks the internet). This makes it useful for:
- VPN tunneling — some VPNs tunnel through port 443 to bypass restrictive firewalls
- WebSocket connections — WSS (WebSocket Secure) uses port 443
- gRPC — typically runs over HTTPS on port 443
- QUIC/HTTP3 — uses UDP port 443
Security implication: Because port 443 is always open, it’s the most common port for encrypted C2 (command and control) traffic from malware. Firewall rules alone can’t protect against threats on port 443 — you need TLS inspection or endpoint detection.
FAQ
Q: Can I run TLS on any port? A: Yes. TLS is a protocol layer — it works on any TCP port. Port 443 is just the convention for HTTPS. You can run TLS on port 12345 if you want (clients just need to specify the port explicitly).
Q: Do I need a different certificate for each port? A: No. The same certificate works on any port. The certificate validates the domain name, not the port number. You can use one certificate on ports 443, 8443, and 9443 simultaneously.
Q: What’s the difference between port 443 and port 80?
A: Port 80 = HTTP (plaintext, unencrypted). Port 443 = HTTPS (TLS-encrypted). Best practice: redirect all port 80 traffic to port 443 (return 301 https://$host$request_uri;).
Q: Why does Kubernetes use port 6443 instead of 443? A: Convention — port 443 is typically used by web servers on the same machine. The K8s API server uses 6443 to avoid conflicts. It’s still TLS — just a different port number.
Q: Should I block port 80 entirely?
A: Keep port 80 open but only for redirecting to HTTPS. Some ACME challenges (HTTP-01) require port 80 to be reachable. Also, users who type http://example.com need the redirect to reach HTTPS.