Hi Folks,
We have successfully tested and implemented SSL/TLS for FTP in both
explicit (AUTH TLS) and implicit modes, works great.
I'm presently testing encryption for the TN3270 (i.e. INTCLIEN) server
and have a couple of questions.
With FTP in IMPLICIT mode the connection is secured by using the SECURE
parm on the PORT. The client connects and immediately negotiates a
secure connection.
With FTP in EXPLICIT mode the connection is secured by use of the
TLSLABEL, SECURECONTROL and SECUREDATA statements in the SRVRFTP CONFIG
file. The PORT does NOT have the SECURE parm. The client connects and
negotiates the secure connection using AUTH TLS.
Does TN3270 support explicit/implicit SSL/TLS the same way? For
example, if I set up an explicit connection by using the TLSLABEL and
SECURECONNECTION ALLOWED statements in the INTERNALCLIENTPARMS will the
TN3270 client "negotiate" SSL much the same way FTP does with AUTH TLS?
When configuring for explicit do I also need to use the SECURE parm on
the PORT?
I'm asking this because what I'm seeing in my tests has me a bit
confused.
Config 1:
TLSLABEL and SECURECONNECTION ALLOWED in INTERNALCLIENTPARMS. PORT does
not have SECURE parm. In this configuration we see the "Secure
connections are ALLOWED" and "TLSLABEL is...." messages in the TCPIP
startup log, but SSL-enable clients cannot connect. Non-SSL clients can
connect OK.
Config 2:
Same as above but add SECURE to PORT statement. Now SSL-enabled clients
can connect and they are secure connections. TN3270 clients that do not
support SSL fail to connect.
I think my certs are OK or Config 2 wouldn't work.
PS: Is it appropriate to refer to these configurations as "explicit
SSL" for Config 1 and "implicit SSL" for Config 2 or are those terms
only used in reference to FTP connections?
-Mike
