Well, for what it's worth, I just tried it and my job was successful,
however, I also received the SSLv23/TLSv1 messages. So I used the standard job
that IBM provided (RFNJOBS) and I turned on Debug SEC. Here is what I got:
220 dhebpcb01 secure FTP server ready.
FC0294 ftpAuth: security values: mech=TLS, tlsmech=ATTLS, tlsreuse=N, sFTP=R, s
C=C, sDC=P
FC2971 ftpAuthAttls: AT-TLS policy set as application controlled.
FU2420 TTLSRule: secure_ftp_client_rule
FU2426 TTLSGroupAction: secure_ftp_client_group
FU2432 TTLSEnvironmentAction: secure_ftp_client_env
>>> AUTH TLS
234 SSLv23/TLSv1
FC3140 authServerAttls: Start Handshake
FC3171 authServerAttls: FIPS140 not enabled
FC3208 authServerAttls: Using TLSv1.2 protocol
FC3226 authServerAttls: SSL cipher: 0035
FU2135 getCtrlConnCertAttls: Request certificate, size 1581
FU2755 getSessionIdAttls: Issuing SIOCTTLSCTL to get decoded AT-TLS Session ID
Authentication negotiation succeeded
FC2028 setdlevel: entered
FC2197 setpbsz: entered
>>> PBSZ 0
200 PBSZ=0
>>> PROT P
200 Command PROT okay.
Data connection protection is private
NAME (deliverycb-bld.dhe.ibm.com:SCNS03T):
> P8r12142
>>> USER P8r12142
331 Password required for P8r12142.
PASSWORD:
> ***************
>>> PASS
230 virtual user P8r12142 logged in from /12.31.24.5:6457.
Command:
> CCC
> BINARY
FC1559 ccc: entered
FC1757 setclevel: entered
>>> CCC
200 Command Channel Cleared.
FU2364 clear_connection_attls: Issue Stop request
Control connection protection is clear
Command:
Command:
CG1018 find_hfs_file: stat() failed on /u/smpe/smpnts/OSP08132/GIMPAF.XML - EDC
129I No such file or directory. (errno2=0x053B006C)
>>> EPSV
229 Entering Passive Mode (|||65525|)
>>> RETR 2021042900039/PROD/GIMPAF.XML
150 Opening BINARY mode data connection for 2021042900039/PROD/GIMPAF.XML.
FU1678 protDataConnAttls: Issuing SIOCTTLSCTL to query policy state
FU1720 protDataConnAttls: AT-TLS policy set as application controlled.
FU2420 TTLSRule: secure_ftp_client_rule
FU2426 TTLSGroupAction: secure_ftp_client_group
FU2432 TTLSEnvironmentAction: secure_ftp_client_env
FU1834 protDataConnAttls: Issuing SIOCTTLSCTL to start handshake
FU1866 protDataConnAttls: FIPS140 not enabled
FU1907 protDataConnAttls: Using TLSv1.2 protocol
<<-----TLSv1.2
FU1924 protDataConnAttls: SSL cipher: 0035
FU2255 compareCertAttls: Request certificate, size 1581
FU2755 getSessionIdAttls: Issuing SIOCTTLSCTL to get decoded AT-TLS Session ID
226 Transfer complete.
197760 bytes transferred in 0.740 seconds. Transfer rate 267.24 Kbytes/sec.
> GET "2021042900039/PROD/GIMPAF.XML" "/u/smpe/smpnts/OSP08132/GIMPAF.XML" (REP
> ACE
>>> TYPE I
200 Type set to I.
It says that TLSv1.2 is being used!!!
I hope this helps.........
Tony
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Dave Jousma
Sent: Tuesday, May 04, 2021 10:53 AM
To: [email protected]
Subject: SMPE Receive Order post May 1st
[[ SEI WARNING *** This email was sent from an external source. Do not open
attachments or click on links from unknown or suspicious senders. *** ]]
Anyone ordering maintenance post May 1st using FTPs to download? Here was the
announcement:
As of May 1, 2021, to download files from IBM's secure delivery server using
FTPS, it is necessary to enable TLS 1.2 in the z/OS Communications Server FTP
client program.
So, we've enabled ATTLS via PAGENT
TTLS Action: cAct4~TEC1_FTP_Client_Applicati
Version: 3
Status: Active
Scope: Connection
HandshakeRole: Client
CtraceClearText: Off
Trace: 2
TTLSConnectionAdvancedParms:
SecondaryMap: On
SSLv3: Off
TLSv1: Off
TLSv1.1: Off
TLSv1.2: On
TLSv1.3: On
ApplicationControlled: On
CertificateLabel: DigiCert Global Root CA
Connection try fails on handshake. Oddly, says TLSv1 from the IBM end.
EZA1701I >>> AUTH TLS
SC3362 getReply: entered
SC4549 getNextReply: entered with waitForData = TRUE
234 SSLv23/TLSv1
SC4241 getLastReply: entered
FC3101 authServerAttls: entered
SC4405 getFNDELAY: entered
SC4440 setFNDELAY: entered
FC3140 authServerAttls: Start Handshake
FC3149 authServerAttls: ioctl() failed on SIOCTTLSCTL - EDC8121I CONNECTION
RESE
T. (errno2=0x77A9733D)
SC4440 setFNDELAY: entered
EZA2897I Authentication negotiation failed
SC4289 inSession: entered
EZA1534I *** Control connection with dispby-117.boulder.ibm.com dies.
SC4332 SETCEC code = 10
SC3610 endSession: entered (sn=27733B18)
SC2776 dataClose: entered
SC3693 endSession: recv() failed - EDC8121I CONNECTION RESET.
(errno2=0x76650446
)
Its entirely possible that the PAGENT policy on our end is not correct, but its
also not out of the realm of possibility that there are problems on IBM end and
i why I am asking here if anyone else converted to TLSv1.2 as documented?
Thanks, Dave
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
