Re: FTP with TLSv1.2 and SHA256

Wed, 24 Feb 2021 14:51:41 -0800 

Interesting, as I believe I just resolved my issue, and I think it worked.  My 
issue was my method of specifying environment variables.  I had them specified 
in a single quoted string instead of two separate quoted strings, separated by 
a comma.  The following works (specified in a CEEOPTS DD):

ENVAR('GSK_PROTOCOL_TLSV1_2=1', 'GSK_V3_CIPHER_SPECS=3D35')

This does cause a warning that "specID 3D not recognized", but I think that is 
simply a result of the FTP application trying to find a text representation for 
a cipher that it doesn't know about.  But at the System SSL level it all seems 
to work.

With "DEBUG SEC" specified in my ftp.data<ftp://ftp.data> I see the following:

FC0334 ftpAuth: ........ cipherspecs =
FC0379 ftpAuth: environment_open()
FC0543 ftpAuth: environment_init()
FC0552 ftpAuth: environment initialization complete
EZA1701I >>> AUTH TLS
234 AUTH command OK. Initializing SSL connection.
FC1011 authServer: secure_socket_open()
FC1083 HSNOTIFY rc: 0
FC1088 authServer: secure_socket_init()
FU1316 tlsLevel: specID 3D not recognized
FU1325 tlsLevel: using TLSV1.2  (3D)
FC1171 authServer: gsk_attribute_get_cert_info()
FC1216 authServer: decode certificate length = 1575
EZA2895I Authentication negotiation succeeded

Everything seems to work.  I won't be able to validate for 100% that it's using 
a SHA256 MAC until the server is reconfigured to exclude SHA1 again, but I 
think we're good.

Not that we shouldn't convert to AT-TLS at some point.  But right now we just 
want to get this working.

Frank

________________________________
From: IBM Mainframe Discussion List <[email protected]> on behalf of 
John S. Giltner, Jr. <[email protected]>
Sent: Wednesday, February 24, 2021 3:37 PM
To: [email protected] <[email protected]>
Subject: Re: FTP with TLSv1.2 and SHA256

I just went through this and had a PRM with IBM.  FTP will use TLSv1.2 as you 
have found buy using env variables, but you are limited to the cipher specs it 
supports natively.   It will not honor anything you try and code with env 
variables. You will need to use AT-TLS.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN

Reply via email to