My testing (and reading of ambiguous documentation) leads me to believe that FTP on z/OS, without the use of AT-TLS, supports TLS v1.0 but not v1.2.
This was verified by the fact that I can connect (as a z/OS client) to a v1.0 configured server, but when v1.0 is eliminated (leaving only v1.2 supported on the server) the server intentionally drops the connection when the TLS negotiation is attempted. The server log in this case says "Unable to establish SSL connection (unknown protocol)". Ideally it would say the client and server don't both support a common TLS level, but this appears to be what is occurring. ________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Gibney, Dave <gib...@wsu.edu> Sent: Monday, April 10, 2017 8:03 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: FTP TLS options I am at z/OS 2.1 and have EXTENSIONS AUTH_TLS TLSRFCLEVEL RFC4217 And some level of TLS is working > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of Rob Schramm > Sent: Monday, April 10, 2017 6:18 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: FTP TLS options > > Yes. But policy agent is not actually that hard...But on zOS GT 1.13 you need > zOSMF as well. > > Rob Schramm > > On Mon, Apr 10, 2017, 7:05 PM Frank Swarbrick > <frank.swarbr...@outlook.com> > wrote: > > > I'm guessing there's a bit more to it than that, yes? Such as > > actually configuring Policy Agent? > > > > ________________________________ > > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on > > behalf of Tom Conley <pinnc...@rochester.rr.com> > > Sent: Monday, April 10, 2017 3:46 PM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: FTP TLS options > > > > On 4/10/2017 3:15 PM, Frank Swarbrick wrote: > > > Hi Mike. > > > > > > I assume you mean: > > > TLSMECHANISM ATTLS > > > where the default (which we use) is > > > TLSMECHANISM FTP > > > > > > Unfortunately we don't currently have AT-TLS set up. When I try to > > > use > > it I get the following: > > > AT-TLS not enabled on TCPCONFIG > > > > > > Does z/OS FTP not support TLS v1.2 when TLSMECHANISM=FTP? > > > > > > > > > I am not a sysprog so I can't speak to the question about IBM's > > > security > > vulnerability warnings. > > > > > > Frank > > > > Thou needst TCPCONFIG TTLS in thy PROFILE member, varlet. > > > > Yours, > > Thomas de Conley > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > -- > > Rob Schramm > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email to > lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN