Net::FTPSSL - A FTP over SSL/TLS class



  use Net::FTPSSL;

  my $ftps = Net::FTPSSL->new('', 
                              Encryption => EXP_CRYPT,
                              Debug => 1) 
    or die "Can't open\n$Net::FTPSSL::ERRSTR";

  $ftps->login('anonymous', 'user@localhost') 
    or die "Can't login: ", $ftps->last_message();

  $ftps->cwd("/pub") or die "Can't change directory: " . $ftps->last_message();

  $ftps->get("file") or die "Can't get file: " . $ftps->last_message();


Had you included Croak => 1 as an option to new, you could have left off the or die checks and your die messages would be more specific to the actual problem encountered!


Net::FTPSSL is a class implementing a simple FTP client over a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) connection written in Perl as described in RFC959 and RFC2228. It will use TLS by default.


new( HOST [, OPTIONS ] )

Creates a new Net::FTPSSL object and opens a connection with the HOST. HOST is the address of the FTPS server and it's a required argument. OPTIONS are passed in a hash like fashion, using key and value pairs. If you wish you can also pass OPTIONS as a hash reference.

If it can't create a new Net::FTPSSL object, it will return undef unless you set the Croak option. In either case you will find the cause of the failure in $Net::FTPSSL::ERRSTR.


Encryption - The connection can be implicitly (IMP_CRYPT) encrypted, explicitly (EXP_CRYPT) encrypted, or regular FTP (CLR_CRYPT). In explicit cases the connection begins clear and became encrypted after an "AUTH" command is sent, while implicit starts off encrypted. For CLR_CRYPT, the connection never becomes encrypted. Default value is EXP_CRYPT.

Port - The port number to connect to on the remote FTPS server. The default port is 21 for EXP_CRYPT and CLR_CRYPT. But for IMP_CRYPT the default port is 990. You only need to provide a port if you need to override the default value.

DataProtLevel - The level of security on the data channel. The default is DATA_PROT_PRIVATE, where the data is also encrypted. DATA_PROT_CLEAR is for data sent as clear text. DATA_PROT_SAFE and DATA_PROT_CONFIDENTIAL are not currently supported. If CLR_CRYPT was selected, the data channel is always DATA_PROT_CLEAR and can't be overridden.

useSSL - Use this option to connect to the server using SSL instead of TLS. TLS is the default encryption type and the more secure of the two protocols. Set useSSL => 1 to use SSL.

PreserveTimestamp - During all puts and gets, attempt to preserve the file's timestamp. By default it will not preserve the timestamps.

Pret - Set if you are talking to a distributed FTPS server like DrFtpd that needs a PRET command issued before all calls to PASV.

Trace - Turns on/off (1/0) put/get download tracing to STDERR. Default is off.

Debug - This turns the debug tracing option on/off. Default is off. (0,1,2)

DebugLogFile - Redirects the output of Debug from STDERR to the requested error log file name. This option is ignored unless Debug is also turned on. Enforced this way for backwards compatibility. If Debug is set to 2, the log file will be opened in append mode instead of creating a new log file. This file is closed when quit is called and Debug messages go back to STDERR again afterwards.

Croak - Force most methods to call croak() on failure instead of returning FALSE. The default is to return FALSE or undef on failure. When it croaks, it will attempt to close the FTPS connection as well, preserving the last message before it attempts to close the connection. Allowing the server to know the client is going away. This will cause $Net::FTPSSL::ERRSTR to be set as well.

SSL_Client_Certificate - Expects a reference to a hash. It's main purpose is to allow you to use client certificates when talking to your FTPS server. Options here apply to the creation of the command channel. And when a data channel is needed later, it uses the SSL_reuse_ctx option to reuse the command channel's context. See start_SSL() in IO::Socket::SSL for more details on this and other options available. If an option provided here conflicts with other options we would normally use, the entries in this hash take precedence.

Buffer - This is the block size that Net::FTPSSL will use when a transfer is made. Default value is 10240.

Timeout - Set a connection timeout value. Default value is 120.

LocalAddr - Local address to use for all socket connections, this argument will be passed to all IO::Socket::INET calls.

OverridePASV - Some FTPS servers sitting behind a firewall incorrectly return their local IP Address instead of their external IP Address used outside the firewall where the client is. To use this option to correct this problem, you must specify the correct host to use for the data channel connection. This should usually match what you provided as the host!

OverrideHELP - Some FTPS servers on encrypted connections incorrectly send back part of the response to the HELP command in clear text instead of it all being encrypted, breaking the command channel connection. This class calls HELP internally via supported() for some conditional logic, making a work around necessary to be able to talk to such servers.

This option supports three distinct modes to support your needs. You can pass a reference to an array that lists all the FTP commands your sever supports, you can set it to 1 to say all commands are supported, or set it to 0 to say none of the commands are supported. See supported() for more details.

This option can also be usefull when your server doesn't support the HELP command itself and you need to trigger some of the conditional logic.

SSL_Advanced - Depreciated, use SSL_Client_Certificate instead. This is now just an alias for SSL_Client_Certificate for backwards compatibility. If both are used, this option is ignored.


Most of the methods return true or false, true when the operation was a success and false when failed. Methods like list or nlst return an empty array when they fail. This behavior can be modified by the Croak option.


Use the given information to log into the FTPS server.


This method breaks the connection to the FTPS server. It will also close the file pointed to by option DebugLogFile.

force_epsv( [1/2] )

Used to force EPSV instead of PASV when establishing a data channel. Once this method is called, it is imposible to swap back to PASV. This method should be called as soon as possible after you log in if EPSV is required.

It does this by sending "EPSV ALL" to the server. Afterwards the server will reject all EPTR, PORT and PASV commands.

After "EPSV ALL" is sent, it will attempt to verify your choice of IP Protocol to use: 1 or 2 (v4 or v6). The default is 1. It will use the selected protocol for all future EPSV calls. If you need to change which protocol to use, you may call this function a second time to swap to the other EPSV Protocol.

This method returns true if it succeeds, or false if it fails.

set_croak( [1/0] )

Used to turn the Croak option on/off after the Net::FTPSSL object has been created. It returns the previous Croak settings before the change is made. If you don't provide an argument, all it does is return the current setting. Provided in case the Croak option proves to be too restrictive in some cases.


This method returns a list of files in a format similar to this: (Server Specific)

 drwxrwx--- 1 owner group          512 May 31 11:16 .
 drwxrwx--- 1 owner group          512 May 31 11:16 ..
 drwxrwx--- 1 owner group          512 Oct 27  2004 foo
 drwxrwx--- 1 owner group          512 Oct 27  2004 pub
 drwxrwx--- 1 owner group          512 Mar 29 12:09 bar

If DIRECTORY is omitted, the method will return the list of the current directory.

If PATTERN is provided, it would limit the result similar to the unix ls command or the Windows dir command. The only wild cards supported are * and ?. (Match 0 or more chars. Or any one char.) So a pattern of f*, ?Oo or FOO would find just foo from the list above. Files with spaces in their name can cause strange results when searching for a pattern.


Same as list but returns the list in this format:


Spaces in the filename do not cause problems with the PATTERN with nlst. Personally, I suggest using nlst instead of list.


Sets the file transfer mode to ASCII. CR LF transformations will be done. ASCII is the default transfer mode.


Sets the file transfer mode to binary. No CR LF transformation will be done.


Stores the LOCAL_FILE onto the remote ftps server. LOCAL_FILE may be a file handle, but in this case REMOTE_FILE is required. It returns undef if put() fails.

If you provide an OFFSET, this method assumes you are attempting to continue with an upload that was aborted earlier. And it's your responsibility to verify that it's the same file on the server you tried to upload earlier. By providing the OFFSET, this function will send a REST command to the FTPS Server to skip over that many bytes before it starts writing to the file. This method will also skip over the requested OFFSET after opening the LOCAL_FILE for reading, but if passed a file handle it will assume you've already positioned it correctly. If you provide an OFFSET of -1, this method will calculate the offset for you by issuing a SIZE command against the file on the FTPS server. So REMOTE_FILE must already exist to use -1, or it's an error. It is also an error to make OFFSET larger than the REMOTE_FILE.

If the OFFSET you provide turns out to be smaller than the current size of REMOVE_FILE, the server will truncate the REMOTE_FILE to that size before appending to the end of REMOTE_FILE. (This may not be consistent across all FTPS Servers, so don't depend on this feature without testing it first.)

If the option PreserveTimestamp was used, and the FTPS server supports it, it will attempt to reset the timestamp on REMOTE_FILE to the timestamp on LOCAL_FILE.


Appends the LOCAL_FILE onto the REMOTE_FILE on the ftps server. If REMOTE_FILE doesn't exist, the file will be created. LOCAL_FILE may be a file handle, but in this case REMOTE_FILE is required and OFFSET is ignored. It returns undef if append() fails.

If you provide an OFFSET, it will skip over that number of bytes in the LOCAL_FILE except when it was a file handle, but will not send a REST command to the server. It will just append to the end of REMOTE_FILE on the server. You can also provide an OFFSET of -1 with the same limitations as with put(). If you need the REST command sent to the FTPS server, use put() instead.

If the option PreserveTimestamp was used, and the FTPS server supports it, it will attempt to reset the timestamp on REMOTE_FILE to the timestamp on LOCAL_FILE.


Stores the LOCAL_FILE onto the remote ftps server. LOCAL_FILE may be a file handle, but in this case REMOTE_FILE is required. If REMOTE_FILE already exists on the ftps server, a unique name is calculated by the server for use instead.

If the file transfer succeeds, this function will return the actual name used on the remote ftps server. If it can't figure that out, it will return what was used for REMOTE_FILE. On failure this method will return undef.

If the option PreserveTimestamp was used, and the FTPS server supports it, it will attempt to reset the timestamp on the remote file using the file name being returned by this function to the timestamp on LOCAL_FILE. So if the wrong name is being returned, the wrong file will get it's timestamp updated.


Use when the directory you are dropping REMOTE_FILE into is monitored by a file recognizer that might pick the file up before the file transfer has completed. So the file is transferred using a temporary name using a naming convention that the file recognizer will ignore and is guaranteed to be unique. Once the file transfer successfully completes, it will be renamed to REMOTE_FILE for immediate pickup by the file recognizer. If you requested to preserve the file's timestamp, this step is done after the file is renamed and so can't be 100% guaranteed if the file recognizer picks it up first. Since if it was done before the rename, other more serious problems could crop up if the resulting timestamp was old enough.

On failure this function will attempt to delete the scratch file for you if its at all possible. You will have to talk to your FTPS server administrator on good values for PREFIX and POSTFIX if the defaults are no good for you.

PREFIX defaults to _tmp. unless you override it. Set to "" if you need to suppress the PREFIX. This PREFIX can be a path to another directory if needed, but that directory must already exist! Set to undef to keep this default and you need to change the default for POSTFIX or BODY.

POSTFIX defaults to .tmp unless you override it. Set to "" if you need to suppress the POSTFIX. Set to undef to keep this default and you need to change the default for BODY.

BODY defaults to client-name.PID so that you are guaranteed the temp file will have an unique name on the remote server. It is strongly recommended that you don't override this value.

So the temp scratch file would be called something like this by default: _tmp.testclient.51243.tmp.

As a final note, if REMOTE_FILE has path information in it's name, the temp scratch file will have the same directory added to it unless you override the PREFIX with a different directory to drop the scratch file into. This avoids forcing you to change into the requested directory first when you have multiple files to send out into multiple directories.


Retrieves the REMOTE_FILE from the ftps server. LOCAL_FILE may be a filename or a file handle. It returns undef if get() fails. You don't usually need to use OFFSET.

If you provide an OFFSET, this method assumes your are attempting to continue with a download that was aborted earlier. And it's your responsibility to verify that it's the same file you tried to download earlier. By providing the OFFSET, it will send a REST command to the FTPS Server to skip over that many bytes before it starts downloading the file again. If you provide an OFFSET of -1, this method will calculate the offset for you based on the size of LOCAL_FILE using the current transfer mode. (ASCII or BINARY). It is an error to set it to -1 if the LOCAL_FILE is a file handle.

On the client side of the download, the OFFSET will do the following: Open the file and truncate everything after the given OFFSET. So if you give an OFFSET that is too big, it's an error. If it's too small, the file will be truncated to that OFFSET before appending what's being downloaded. If the LOCAL_FILE is a file handle, it will assume the file handle has already been positioned to the proper OFFEST and it will not perform a truncate. Instead it will just append to that file handle's current location. Just beware that using huge OFFSETs in ASCII mode can be a bit slow if the LOCAL_FILE needs to be truncated.

If the option PreserveTimestamp was used, and the FTPS Server supports it, it will attempt to reset the timestamp on LOCAL_FILE to the timestamp on REMOTE_FILE after the download completes.


The inverse of xput, where the file recognizer is on the client side. The only other difference being what BODY defaults to. It defaults to reverse(testclient).PID. So your default scratch file would be something like: _tmp.tneilctset.51243.tmp.

Just be aware that in this case LOCAL_FILE can no longer be a file handle.

delete( REMOTE_FILE )

Deletes the indicated REMOTE_FILE.

cwd( DIR )

Attempts to change directory to the directory given in DIR on the remote server.

pwd( )

Returns the full pathname of the current directory on the remote server.

cdup( )

Changes directory to the parent of the current directory on the remote server.

mkdir( DIR )

Creates the indicated directory DIR on the remote server. No recursion at the moment.

rmdir( DIR )

Removes the empty indicated directory DIR on the remote server. No recursion at the moment.

noop( )

It requires no action other than the server send an OK reply.

rename( OLD, NEW )

Allows you to rename the file on the remote server.

site( ARGS )

Send a SITE command to the remote server and wait for a response.

mfmt( time_str, remote_file ) or _mfmt( timestamp, remote_file )

Both are boolean functions that attempt to reset the remote file's timestamp on the FTPS server and returns true on success. The 1st version can call croak on failure if Croak is turned on, while the 2nd version will not do this. The other difference between these two functions is the format of the file's timestamp to use.

time_str expects the timestamp to be GMT time in format YYYYMMDDHHMMSS. While timestamp expects to be in the same format as returned by localtime().

mdtm( remote_file ) or _mdtm( remote_file )

The 1st version returns the file's timestamp as a string in YYYYMMDDHHMMSS format using GMT time, it will return undef or call croak on failure.

The 2nd version returns the file's timestamp in the same format as returned by localtime() and will never call croak.

size( remote_file )

This function will return undef or croak on failure. Otherwise it will return the file's size in bytes, which may also be zero bytes! Just be aware for text files that the size returned may not match the file's actual size after the file has been downloaded to your system in ASCII mode. This is an OS specific issue. It will always match if you are using BINARY mode.

Also SIZE may return a different size for ASCII & BINARY modes. This issue depends on what OS the FTPS server is running under. Should they be different, the ASCII size will be the BINARY size plus the number of lines in the file.

restart( OFFSET )

Set the byte offset at which to begin the next data transfer. Net::FTPSSL simply records this value and uses it during the next data transfer. For this reason this method will not return an error, but setting it may cause subsequent data transfers to fail.

I recommend using the OFFSET directly in get(), put(), and append() instead of using this method. It was only added to make Net::FTPSSL compatible with Net::FTP. A non-zero offset in those methods will override what you provide here. If you call any of the other get()/put() variants after calling this function, you will get an error.

It is OK to use an OFFSET of -1 here to have Net::FTPSSL calculate the correct OFFSET for you before it get's used. Just like if you had provided it directly to the get(), put(), and append() calls.

This OFFSET will be automatically zeroed out the 1st time it is used.

quot( CMD [,ARGS] )

Send a command, that Net::FTPSSL does not directly support, to the remote server and wait for a response. You are responsible for parsing anything you need from message() yourself.

Returns the most significant digit of the response code. So it will ignore the Croak request.

WARNING This call should only be used on commands that do not require data connections. Misuse of this method can hang the connection if the internal list of FTP commands using a data channel is incomplete.

ccc( [ DataProtLevel ] )

Sends the clear command channel request to the FTPS server. If you provide the DataProtLevel, it will change it from the current data protection level to this one before it sends the CCC command. After the CCC command, the data channel protection level can not be changed again and will always remain at this setting. Once you execute the CCC request, you will have to create a new Net::FTPSSL object to secure the command channel again. Due to security concerns it is recommended that you do not use this method.

If the version of IO::Socket::SSL you have installed is too old, this function will not work since stop_SSL won't be defined (like in v1.08). So it is recommended that you be on at least version 1.18 or later if you plan on using this function.

supported( CMD [,SITE_OPT] )

Returns TRUE if the remote server supports the given command. CMD must match exactly. This function will ignore the Croak request.

If the CMD is SITE or FEAT and SITE_OPT is supplied, it will also check if the specified SITE_OPT sub-command is supported by that command. Not all servers will support the use of SITE_OPT.

It determines if a command is supported by calling HELP and parses the results for a match. And if FEAT is supported it calls FEAT and adds these commands to the HELP list. The results are cached so HELP and FEAT are only called once.

Some rare servers send the HELP results partially encrypted and partially in clear text, causing the encrypted channel to break. In that case you will need to override this method for things to work correctly with these non-conforming servers. See the OverrideHELP option in the constructor for how to do this.

Some servers don't support the HELP command itself! When this happens, this method will always return FALSE unless you set the OverrideHELP option in the constructor.

This method is used internally for conditional logic only when checking if the following 4 FTP commands are allowed: ALLO, NOOP, MFMT, and MDTM. The ALLO command is used with all put/get command sequences. The other three are not checked that often.

last_message() or message()

Use either one to collect the last response from the FTPS server. This is the same response printed to STDERR when Debug is turned on. It may also contain any fatal error message encountered.

If you couldn't create a Net::FTPSSL object, you should get your error message from $Net::FTPSSL::ERRSTR instead. Be careful since $Net::FTPSSL::ERRSTR is shared between instances of Net::FTPSSL, while message & last_message are not shared between instances!

last_status_code( )

Returns the one digit status code associated with the last response from the FTPS server. The status is the first digit from the full 3 digit response code.

The possible values are exposed via the following 7 constants: CMD_INFO, CMD_OK, CMD_MORE, CMD_REJECT, CMD_ERROR, CMD_PROTECT and CMD_PENDING.

set_callback( [cb_func_ref, end_cb_func_ref [, cb_data_ref]] )

This function allows the user to define a callback function to use whenever a data channel to the server is open. If either cb_func_ref or end_cb_func_ref is undefined, it disables the callback functionality, since both are required for call backs to function properly.

The cb_func_ref is a reference to a function to handle processing the data channel data. This is a void function that can be called multiple times. It is called each time a chunk of data is read from or written to the data channel.

The end_cb_func_ref is a reference to a function to handle closing the callback for this data channel connection. This function is allowed to return a string of additional data to process before the data channel is closed. It is called only once per command after processing all the data channel data.

The cb_data_ref is an optional reference to an array or hash that the caller can use to store values between calls to the callback function and the end callback function. If you don't need such a work area, it's safe to not provide one. The Net::FTPSSL class doesn't look at this reference.

The callback function must take the following 5 arguments:

   B<callback> (ftps_func_name, data_ref, data_len_ref, total_len, cb_data_ref);

The ftps_func_name will tell what Net::FTPSSL function requested the callback so that your callback function can determine what the data is for and do conditional logic accordingly. We don't provide a reference to the Net::FTPSSL object itself since the class is not recursive. Each Net::FTPSSL object should have it's own cb_dat_ref to work with. But methods within the class can share one.

Since we pass the data going through the data channel as a reference, you are allowed to modify the data. But if you do, be sure to update data_len_ref to the new data length as well if it changes. Otherwise you will get buggy responses. Just be aware that if you change the length, more than likely you'll be unable to reliably restart an upload or download via restart() or using OFFSET in the put & get commands.

Finally, the total_len is how many bytes have already been processed. It does not include the data passed for the current callback call. So it will always be zero the first time it's called.

Once we finish processing data for the data channel, a different callback function will be called to tell you that the data channel is closing. That will be your last chance to affect what is going over the data channel and to do any needed post processing. The end callback function must take the following arguments:

   $end = B<end_callback> (ftps_func_name, total_len, cb_data_ref);

These arguments have the same meaning as for the callback function, except that this function allows you to optionally provide additional data to/from the data channel. If reading from the data channel, it will treat the return value as the last data returned before it was closed. Otherwise it will be written to the data channel before it is closed. Please return undef if there is nothing extra for the Net::FTPSSL command to process.

You should also take care to clean up the contents of cb_data_ref in the end_callback function. Otherwise the next callback sequence that uses this work area may behave strangely.

As a final note, should the data channel be empty, it is very likely that just the end_callback function will be called without any calls to the callback function.


Marco Dalla Stella - <kral at paranoici dot org>

Curtis Leach - <cleach at cpan dot org> - As of v0.05






RFC 959 -

RFC 2228 -

RFC 2246 -

RFC 4217 -


Graham Barr <gbarr at pobox dot com> - for have written such a great collection of modules (libnet).


Please report any bugs with a FTPS log file created via options Debug=>1 and DebugLogFile=>"file.txt" along with your sample code at

Patches are appreciated when a log file and sample code are also provided.


Copyright (c) 2009 - 2012 Curtis Leach. All rights reserved.

Copyright (c) 2005 Marco Dalla Stella. All rights reserved.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.