Re: FTPS with SSL/TLS and Clear Command Channel

Fri, 13 Jun 2008 02:31:29 -0700 

Fred Schmidt wrote:

Gidday,

<NB: cross-posted to IBM-VM listserver>

We're looking to implement FTPS with certificates and SSL/TLS. We've tried
z/OS but it would appear that the server refuses to process Clear Command
Channel commands. So now we're looking for alternatives such as under z/VM
or z/Linux.

It seems that many FTPS servers under Linux are RFC 4217 compliant.

RFC 4217 (at http://tools.ietf.org/html/rfc4217#page-25) states...

15.3.  Issues with the CCC Command


   Using the CCC command can create security issues.  For a full
   description, see the "CLEAR COMMAND CHANNEL (CCC)" section of
   [RFC-2228].  Clients should not assume that a server will allow the
   CCC command to be processed.

   Server implementations may wish to refuse to process the CCC command
   on a session that has not passed through some form of client
   authentication (e.g., TLS client auth or FTP USER/PASS).  This can
   prevent anonymous clients from repeatedly requesting AUTH TLS
   followed by CCC to tie up resources on the server.

Can anyone advise whether there are packages available for z/Linux that
will allow CCC to be used, eg vsftpd?  We are SUSE SLES 10.1, if that
matters.


First, the general answer:
I would fully expect any program that is compiled from source and runs
on Linux will run on your mainframe under Linux, subject to the usual
caveats regarding assembly-language code, the requisite resources and
timing.

You must have suitable compilers[1], you won't have any luck with USB
devices (unless there's something I've missed), and timing loops are
unlikely to succeed.

[1] or someone has and has compiled the program for you.

Given that, I'm not sure why you're asking. Some here do do ftps, some
do sftp (which comes with ssh) and some use scp (which also comes with ssh).

As to vsftp and vsftp ftps, a simple google search turned up 36o hits.
Some look, at first glance, like they answer your questions.

("vsftpd ftps " turns up more than 360).



--

Cheers
John

-- spambait
[EMAIL PROTECTED]  [EMAIL PROTECTED]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Reply via email to