Cyberduck Mountain Duck CLI

Version 50 (modified by dkocher, on Sep 23, 2014 at 1:40:08 PM) (diff)


Cyberduck Help / Howto / FTP & FTP-TLS

FTP Connect Mode

Choose between an Active (PORT) or Passive (PASV) connect mode per bookmark or when opening a new connection. The default setting can be set in the System Preferences in NetworkAdvanced...ProxiesUse Passive FTP Mode (PASV).

Character Encoding

The character encoding used to parse directory listings can be set as a per bookmark setting. If special characters such as Umlaute aren't displayed correctly in the browser, try to change the character encoding used. To change the character encoding for the current browser, use View → Text Encoding. The setting is also available per bookmark. Try UTF-8 (the default), ISO-8859-1 and Windows-1252.

TLS Connections (FTPS)

FTP with explicit TLS is supported. Implicit FTPS with no negotiation is deprecated and not supported. FTPS should not be confused with the SSH File Transfer Protocol (SFTP).

Mutual TLS

Mutual (two-way) TLS with a client certificate for authentication is supported. When a server requests a client certificate for authentication, a prompt is displayed to choose a certificate with a private key that matches the given issuer name requested from the server. Matching certificates are searched for in the Keychain on OS X or the Windows Certificate Manager respectively.

Switch to secure connection

If you attempt to connect to a server using FTP without TLS transport security but the server advertises support for TLS (as a response to FEAT), a prompt is displayed to secure the connection.

You can always switch back to FTP without TLS transport security by changing the protocol selection in the bookmark to FTP (File Transfer Protocol).

Trust Certificate

If the certificate is not trusted by the system, you are asked to make an exception if you still want to connect to the site that cannot be verified. This failure during certificate trust verification is most often the case when the certificate is invalid either

  • Because the hostname does not match the common name in the certificate. You will get the error message You might be connecting to a server that is pretending to be….
  • The certificate is self signed or signed by a root authority not trusted in the system.
  • The certificate is expired.

You can temporarily or permanently allow to connect nevertheless by choosing Continue. To remember your choice, select Always Trust….

Distribution (CDN)

You can enable custom origin Amazon CloudFront (Content Delivery Network) distribution using File → Info → Distribution (CDN).

Server compatibility


  • You need to have the option set TLSOptions NoSessionReuseRequired for FTP-TLS connections. Issue #5087. If configuring the server is not an option, users should switch back to plain FTP connections. Choose FTP (File Transfer Protocol) in the bookmark protocol setting. Most users hit by this compatibility issue have been asked to secure the connection because support for TLS was detected upon negogiating the connection.

Example configuration:


      The NoSessionReuseRequired option has been added.  As of
      ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
      that reuse the SSL session of the control connection, as a security
      measure.  Unfortunately, there are some clients (e.g. curl) which
      do not reuse SSL sessions.

      To relax the requirement that the SSL session from the control
      connection be reused for data connections, use the following in the

        <IfModule mod_tls.c>
          TLSOptions NoSessionReuseRequired
  • The option TLSOptions AllowClientRenegotiations must be set for FTP-TLS connections. Issue #3012.
  • The option TLSProtocol SSLv23 must be set for FTP-TLS connections. Issue #5061.


  • The option require_ssl_reuse=NO must be set for FTP-TLS connections. Issue #5087.


Error opening data socket

For data transfers and possibly file listings (depending on the features supported by the server), a second data connection must be opened using PASV or PORT commands which is referred to as a passive or active data connection.

Depending on the firewall and router configuration in your network there may be errors reported:

  • Failure opening active data socket reports I won't open a connection to (only to

It is not possible to change permissions

The error message FTP Error: SITE not understood or similar is displayed. The server does not support this feature (which is an optional extension to the FTP protocol) and can not be used.

Listing directories fails or shows no content

Various options are available to adjust the usage of different directory listing commands (LIST, STAT and MLSD). Directory listings are requested using STAT, MLSD, LIST -a and LIST commands in that order. If a failure is detected (because the server may not support the command), the next option is tried. Because this can be fuzzy logic, it may still be that Cyberduck does not correctly fall back to a supported list command. You may then try to force the use of a given command.

To disable STAT for directory listings, change the hidden configuration option as follows:

defaults write ch.sudo.cyberduck ftp.command.stat false

To disable LIST -a for directory listings, open a window and enter

defaults write ch.sudo.cyberduck ftp.command.lista false

To disable MLSD for directory listings, open a window and enter

defaults write ch.sudo.cyberduck ftp.command.mlsd false

Restart Cyberduck.

Default protocol handler

You can set Cyberduck or a third party application as the default application (protocol handler) for FTP in Preferences → FTP. When you click URLs in another application like your web browser, this application is opened to open the URL instead.


Attachments (4)

Download all attachments as: .zip