On 1/26/2025 8:17 AM, Ed Jaffe wrote:
On 1/26/2025 7:54 AM, Ed Jaffe wrote:
The "key share group list" described above is being passed by z/OS as
the singular value "secp521r1". It would be great if we could figure
out how to make it send an actual list of group names that also
includes "secp256r1" (the only one supported by the RedHat 9 wsftp
server), but so far we haven't been able to figure out how to do that.
I fell back to TLS 1.2 support only. No more TLS 1.3. This time the
client sends secp256r1 (0023) for the initial handshake encryption,
which I found puzzling. My understanding was that only TLS 1.3 encrypted
the initial handshake, but whatevs. At least the group names should match.
Now I'm seeing something a bit different. The client sends some cipher
data and then immediately gets a 5003 failure because the response comes
back as clear text rather than encrypted. The book states this could be
caused by not having application-level control over the AT-TLS
encryption (via SIOCTL). I know we have that specified for both z/OS
client and z/OS server. Of course, it can't be specified for RedHat
wsftp as it doesn't use AT-TLS. I suppose it's possible the 5003 error
might be the result of an immediate disconnect from the server due to an
as-yet-not-understood problem with the cipher.
BPXF024I (OMVS) Jan 26 19:52:53 mvsa0 TTLS[84082999]: 19:52:52 TCPIP 368
EZD1285I TTLS Data CONNID: 000002BB SEND CIPHER 160303005C010000580
30367970315481C8DE945C99307607718DB6A1F6F63840EE2B69DD4305351D91A04000
00400FF00350100002B002B000302030300170000000D001C001A06010603050105030
40104030402030103030302020102030202 ..
BPXF024I (OMVS) Jan 26 19:52:53 mvsa0 TTLS[84082999]: 19:52:52 TCPIP 369
EZD1286I TTLS Error GRPID: 0000000A ENVID: 0000000A CONNID:
000002BB LOCAL: 192.168.10.195..1053 REMOTE: 98.174.153.86..21
JOBNAME: FTPTLPSI USERID: EDJXADM RULE: PSI_FTP-Client~1 RC: 5003
Data Decryption ..
What astonishes me is that no one on this list (or TCPIP-L) seems to
have any experience connecting AT-TLS-enabled FTP to RedHat Linux. On
the surface, that would seem to be one of the most common FTP
configurations in the world right behind z/OS to z/OS. Is what we're
doing really that bleeding edge???
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
https://www.phoenixsoftware.com/
--------------------------------------------------------------------------------
This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not an intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
