I did some testing on our sandbox (I commented out all ciphers except the one I was interested in and refreshed policy agent) and here’s what I found.
According to https://www.ibm.com/support/pages/node/6417233 The cipher suites that will be enabled for AT-TLS for using FTPS are: · TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 · TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 · TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 · TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 · TLS_RSA_WITH_AES_128_CBC_SHA · TLS_RSA_WITH_AES_256_CBC_SHA The ECDHE ciphers were rejected but the TLS_RSA_WITH_AES_256_CBC_SHA did work (I didn’t try the TLS_RSA_WITH_AES_128_CBC_SHA cipher). What gives IBM? On Sun, May 9, 2021 at 1:01 PM Cieri, Anthony < [email protected]> wrote: > > While I agree with your recommendations, the FTPS job does not > work without the ciphers I listed below. Apparently IBM needs to make some > adjustments first. > > > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On Behalf > Of Michael Babcock > Sent: Wednesday, May 05, 2021 2:58 PM > To: [email protected] > Subject: Re: SMPE Receive Order post May 1st > > [[ SEI WARNING *** This email was sent from an external source. Do not > open attachments or click on links from unknown or suspicious senders. *** > ]] > > > I would highly discourage the use of the ciphers listed. I would use > these more secure ciphers (I'm sure there are others that are acceptable). > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 > > On 5/5/2021 12:58 PM, Cieri, Anthony wrote: > > Dave, > > Here you go: > > > > ################################################################## > > # # > > # Secure FTP Application # > > # # > > ################################################################### > > > > > TTLSRule secure_ftp_client_rule > > { > > RemotePortRange 21 # This should be set to the port the FTP > > # listening on > > Direction Outbound > > TTLSGroupActionRef secure_ftp_client_group > > TTLSEnvironmentActionRef secure_ftp_client_env > > } > > > > > TTLSGroupAction secure_ftp_client_group > > { > > TTLSEnabled On > > Trace 7 > > } > > > > > TTLSEnvironmentAction secure_ftp_client_env > > { > > TTLSKeyringParms > > { > > Keyring /u/ftps/zos17dbf.kdb > > KeyringStashFile /u/ftps/zos17dbf.sth > > } > > HandshakeRole Client > > TTLSEnvironmentAdvancedParms > > { > > ApplicationControlled On > > SecondaryMap On > > SSLV3 Off > > TLSV1 Off > > TLSV1.1 Off > > TLSV1.2 On > > } > > TTLSCipherParmsRef ftp_client_ciphers # to cust ciphers > > } > > > > > TTLSCipherParms ftp_client_ciphers > > { > > # Sample ciphers. Should be customized! > > V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA > > V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA > > V3CipherSuites TLS_RSA_WITH_NULL_SHA > > } > > > > > > -----Original Message----- > > From: IBM Mainframe Discussion List <[email protected]> On > > Behalf Of Dave Jousma > > Sent: Wednesday, May 05, 2021 1:13 PM > > To: [email protected] > > Subject: Re: SMPE Receive Order post May 1st > > > > [[ SEI WARNING *** This email was sent from an external source. Do not > > open attachments or click on links from unknown or suspicious senders. > > *** ]] > > > > > >> Well, for what it's worth, I just tried it and my job was > >> successful, however, I also received the SSLv23/TLSv1 messages. So I > >> used the standard job that IBM provided (RFNJOBS) and I turned on Debug > SEC. > >> Here is what I got > > (snip) > > > > Hey Tony, Thanks for this. For some reason we are still struggling. > Would you be willing to share what your pagent policy for these items: > > > > FU2420 TTLSRule: secure_ftp_client_rule > > FU2426 TTLSGroupAction: secure_ftp_client_group > > FU2432 TTLSEnvironmentAction: secure_ftp_client_env > > > > looks like? I dont think there is anything sensitive, and if you'd > rather, you can send to me off-list ([email protected]) > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- Michael Babcock OneMain Financial z/OS Systems Programmer, Lead ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
