I would highly discourage the use of the ciphers listed. I would use
these more secure ciphers (I'm sure there are others that are acceptable).
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
On 5/5/2021 12:58 PM, Cieri, Anthony wrote:
Dave,
Here you go:
##################################################################
# #
# Secure FTP Application #
# #
###################################################################
TTLSRule secure_ftp_client_rule
{
RemotePortRange 21 # This should be set to the port the FTP
# listening on
Direction Outbound
TTLSGroupActionRef secure_ftp_client_group
TTLSEnvironmentActionRef secure_ftp_client_env
}
TTLSGroupAction secure_ftp_client_group
{
TTLSEnabled On
Trace 7
}
TTLSEnvironmentAction secure_ftp_client_env
{
TTLSKeyringParms
{
Keyring /u/ftps/zos17dbf.kdb
KeyringStashFile /u/ftps/zos17dbf.sth
}
HandshakeRole Client
TTLSEnvironmentAdvancedParms
{
ApplicationControlled On
SecondaryMap On
SSLV3 Off
TLSV1 Off
TLSV1.1 Off
TLSV1.2 On
}
TTLSCipherParmsRef ftp_client_ciphers # to cust ciphers
}
TTLSCipherParms ftp_client_ciphers
{
# Sample ciphers. Should be customized!
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_RSA_WITH_NULL_SHA
}
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Dave Jousma
Sent: Wednesday, May 05, 2021 1:13 PM
To: [email protected]
Subject: Re: SMPE Receive Order post May 1st
[[ SEI WARNING *** This email was sent from an external source. Do not open
attachments or click on links from unknown or suspicious senders. *** ]]
Well, for what it's worth, I just tried it and my job was successful,
however, I also received the SSLv23/TLSv1 messages. So I used the
standard job that IBM provided (RFNJOBS) and I turned on Debug SEC.
Here is what I got
(snip)
Hey Tony, Thanks for this. For some reason we are still struggling. Would
you be willing to share what your pagent policy for these items:
FU2420 TTLSRule: secure_ftp_client_rule
FU2426 TTLSGroupAction: secure_ftp_client_group
FU2432 TTLSEnvironmentAction: secure_ftp_client_env
looks like? I dont think there is anything sensitive, and if you'd rather,
you can send to me off-list ([email protected])
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
