While I agree with your recommendations, the FTPS job does not work
without the ciphers I listed below. Apparently IBM needs to make some
adjustments first.
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Michael Babcock
Sent: Wednesday, May 05, 2021 2:58 PM
To: [email protected]
Subject: Re: SMPE Receive Order post May 1st
[[ SEI WARNING *** This email was sent from an external source. Do not open
attachments or click on links from unknown or suspicious senders. *** ]]
I would highly discourage the use of the ciphers listed. I would use these
more secure ciphers (I'm sure there are others that are acceptable).
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
On 5/5/2021 12:58 PM, Cieri, Anthony wrote:
> Dave,
> Here you go:
>
> ##################################################################
> # #
> # Secure FTP Application #
> # #
> ###################################################################
>
>
> TTLSRule secure_ftp_client_rule
> {
> RemotePortRange 21 # This should be set to the port the FTP
> # listening on
> Direction Outbound
> TTLSGroupActionRef secure_ftp_client_group
> TTLSEnvironmentActionRef secure_ftp_client_env
> }
>
>
> TTLSGroupAction secure_ftp_client_group
> {
> TTLSEnabled On
> Trace 7
> }
>
>
> TTLSEnvironmentAction secure_ftp_client_env
> {
> TTLSKeyringParms
> {
> Keyring /u/ftps/zos17dbf.kdb
> KeyringStashFile /u/ftps/zos17dbf.sth
> }
> HandshakeRole Client
> TTLSEnvironmentAdvancedParms
> {
> ApplicationControlled On
> SecondaryMap On
> SSLV3 Off
> TLSV1 Off
> TLSV1.1 Off
> TLSV1.2 On
> }
> TTLSCipherParmsRef ftp_client_ciphers # to cust ciphers
> }
>
>
> TTLSCipherParms ftp_client_ciphers
> {
> # Sample ciphers. Should be customized!
> V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
> V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
> V3CipherSuites TLS_RSA_WITH_NULL_SHA
> }
>
>
> -----Original Message-----
> From: IBM Mainframe Discussion List <[email protected]> On
> Behalf Of Dave Jousma
> Sent: Wednesday, May 05, 2021 1:13 PM
> To: [email protected]
> Subject: Re: SMPE Receive Order post May 1st
>
> [[ SEI WARNING *** This email was sent from an external source. Do not
> open attachments or click on links from unknown or suspicious senders.
> *** ]]
>
>
>> Well, for what it's worth, I just tried it and my job was
>> successful, however, I also received the SSLv23/TLSv1 messages. So I
>> used the standard job that IBM provided (RFNJOBS) and I turned on Debug SEC.
>> Here is what I got
> (snip)
>
> Hey Tony, Thanks for this. For some reason we are still struggling.
> Would you be willing to share what your pagent policy for these items:
>
> FU2420 TTLSRule: secure_ftp_client_rule
> FU2426 TTLSGroupAction: secure_ftp_client_group
> FU2432 TTLSEnvironmentAction: secure_ftp_client_env
>
> looks like? I dont think there is anything sensitive, and if you'd rather,
> you can send to me off-list ([email protected])
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to [email protected] with the message: INFO IBM-MAIN
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
