I'm sure I must be missing something here. I'm trying to FTPS from the z/OS 2.2
client to a linux system but failing the handshake. The FTP session indicates:
SC2852 sendCmd: entered
EZA1701I >>> AUTH TLS
SC3315 getReply: entered
SC4502 getNextReply: entered with waitForData = TRUE
234 AUTH TLS successful
SC4194 getLastReply: entered
FC1000 authServer: entered
FC1013 authServer: secure_socket_open()
SC4358 getFNDELAY: entered
FC1085 HSNOTIFY rc: 0
FC1090 authServer: secure_socket_init()
FU0941 secureWrite: entered
FU0841 secureRead: entered
SC4393 setFNDELAY: entered
FC1103 authServer: secure_socket_init failed with rc = 410 (SSL message format
is incorrect)
FC1579 endSecureConn: entered
EZA2897I Authentication negotiation failed
FC1611 endSecureEnv: entered
SC4242 inSession: entered
CZ0731 SETCEC code = 17
EZA2898I Unable to successfully negotiate required authentication
It wasn't quite clear what the 410 indicates, so I got an SSL trace:
S0W1 MESSAGE 00000008 01:49:34.380195 SSL_INFO
Job SJP1 Process 0501028D Thread 00000001 send_v3_client_hello
Sent V3 CLIENT-HELLO message
S0W1 DUMP 00000020 01:49:34.380878 SSL_ASCII_DUMP
Job SJP1 Process 0501028D Thread 00000001 send_v3_client_hello
V3 CLIENT-HELLO message
00000000: 01000035 03016038 53AEFEE4 0E3FA5C1 *...5...8S....?..*
00000010: 738D1174 97B11A6C 48D50A52 9ED8C9F6 *s..t...lH..R....*
00000020: 19AF4C56 C20D0000 0E00FF00 35003800 *..LV........5.8.*
00000030: 39002F00 32003301 00 *9./.2.3.. *
S0W1 MESSAGE 00000008 01:49:34.381607 SSL_INFO
Job SJP1 Process 0501028D Thread 00000001 gsk_write_v3_record
Calling write routine for 62 bytes
S0W1 MESSAGE 00000008 01:49:34.383039 SSL_INFO
Job SJP1 Process 0501028D Thread 00000001 gsk_write_v3_record
62 bytes written
S0W1 MESSAGE 00000008 01:49:34.383763 SSL_INFO
Job SJP1 Process 0501028D Thread 00000001 gsk_read_v3_record
Calling read routine for 5 bytes
S0W1 MESSAGE 00000008 01:49:34.467030 SSL_INFO
Job SJP1 Process 0501028D Thread 00000001 gsk_read_v3_record
5 bytes received
S0W1 MESSAGE 00000004 01:49:34.467943 SSL_ERROR
Job SJP1 Process 0501028D Thread 00000001 gsk_read_v3_record
Content Type 53 is not supported
S0W1 DUMP 00000020 01:49:34.468808 SSL_ASCII_DUMP
Job SJP1 Process 0501028D Thread 00000001 gsk_read_v3_record
SSL record header
00000000: 35353020 54 *550 T *
S0W1 MESSAGE 00000004 01:49:34.469667 SSL_ERROR
Job SJP1 Process 0501028D Thread 00000001 gsk_secure_socket_init
SSL V3 client handshake failed with 67.208.93.232.21.
The server seems to be objecting to the x'35' (decimal 53) in the 'ContentType'
field of the CLIENT-HELLO message. In RFC8446 it says
" Implementations MUST NOT send record types not defined in this
document unless negotiated by some extension. If a TLS
implementation receives an unexpected record type, it MUST terminate
the connection with an "unexpected_message" alert. "
Does anyone have any idea why the z/OS client is doing this? Surely some people
are doing FTPS from z/OS to Linux somewhere. I've tried it on a couple of
different z/OS levels with the same result. Any help is much appreciated.
Steve Pryor
DTS Software, LLC
[email protected]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
