FTP SSL passive mandatory?

I was debugging the FTPAPI utility for implementing new FTP SSL
functionality through sockets that was using standard FTP instead of
passive by default.  When I got the "500 Illegal PORT command" trying to
list files, I tried the IBM FTP client with the SENDPASV 0.  I got the same
error on the "ls".  FTP'ing to an outside non-SSL site was fine for
standard FTP (non-passive).  So, I should always make sure I use passive
like the default on the IBM FTP client for at least that particular secure
SSL site.  I heard the apache FTP server only allows passive connections
for encrypted data connections.  It appears the bank site I am trying to
connect to only allows passive data connections.  I still get the error
when using *CLEAR for the data protection.  I heard that passive
connections are recommended for SSL FTP data connections.  I wasn't even
going to try to program the utility to allow SSL FTP on standard FTP
connections since it was complex, possibly rare, and I couldn't even test.
I wonder if most secure sites make passive data connections mandatory.
Is standard (non-passive) FTP SSL something that should never be done?
Also, IBM changed their data connection mode default from standard to
passive at V4R2M0.  I am assuming most people don't have the
QUSRSYS/QTMFTPPASV data area isn't installed to override this.  I think
passive is usually preferred so the remote server doesn't get blocked by
the client's firewall on connection.  In passive mode, the client opens
another connection to the server specified by the server.  Is standard FTP
becoming obsolete due to  firewall restrictions?  Are most sites required
to support passive mode?

Craig Strong