View previous topic :: View next topic
|
Author |
Message |
danik56
New User
Joined: 08 Mar 2017 Posts: 52 Location: Israel
|
|
|
|
Has anyone succedded in sending files via FTPs from z/OS to VSFTP or PROFTPD on Ubunto 20.04? I have been trying for a couple of days to figure out how this could work with not much success....always getting this error:
error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
I followed the guidlines here:
www.ibm.com/docs/en/zos/2.4.0?topic=security-steps-customizing-ftp-client-tls
Linux system running on Ubunto 20.4, z/os is version 2.4 |
|
Back to top |
|
|
danik56
New User
Joined: 08 Mar 2017 Posts: 52 Location: Israel
|
|
|
|
Anyone ? |
|
Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008 Posts: 8697 Location: Dubuque, Iowa, USA
|
|
|
|
Prompting for replies is not typically a good strategy on a forum. Responses are voluntary and depend upon people having the time, interest, and knowledge to respond. It is normal for responses to take hours ... days ... weeks ... months and asking over and over for replies will usually cause the people who could respond to decide your post isn't worth it.
The "unsupported protocol" led me to Google "14209102" where I found that the server is most likely requiring a higher level of TLS than the client can provide. You probably will need to either change the configuration or upgrade the software on your client before you will be able to connect. |
|
Back to top |
|
|
danik56
New User
Joined: 08 Mar 2017 Posts: 52 Location: Israel
|
|
|
|
When debug is turned on (on server side) the following additional info is provided:
2022-03-06 18:26:20,729 mod_tls/2.7[2243229]: [info] accepting: before SSL initialization
2022-03-06 18:26:20,731 mod_tls/2.7[2243229]: [msg] received protocol record message (5 bytes)
2022-03-06 18:26:20,732 mod_tls/2.7[2243229]: [info] accepting: before SSL initialization
2022-03-06 18:26:20,732 mod_tls/2.7[2243229]: [msg] received TLSv1.3 'ClientHello' Handshake message (47 bytes)
2022-03-06 18:26:20,732 mod_tls/2.7[2243229]: [msg]
ClientHello:
client_version = TLS 1.0
random:
gmt_unix_time = Sun Mar 06 16:26:48 2022 (not guaranteed to be accurate)
random_bytes (28 bytes)
06eb9dcb92a30e6ad9610da9fadec5314418514fe61d1e0125e0c77b
session_id (0 bytes)
cipher_suites (4 bytes)
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
SSL_RSA_WITH_RC4_128_SHA
compression_methods (1 byte)
None
extensions: None
2022-03-06 18:26:20,732 mod_tls/2.7[2243229]: [msg] sent protocol record message (5 bytes)
2022-03-06 18:26:20,732 mod_tls/2.7[2243229]: [info] writing: SSL/TLS alert fatal: protocol version
2022-03-06 18:26:20,732 mod_tls/2.7[2243229]: [info] accepting: error
2022-03-06 18:26:20,732 mod_tls/2.7[2243229]: unable to accept TLS connection: protocol error:
(1) error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
So it appears client saying the protocol is TLS 1.3 and server is only supporting TLS 1.2
Is there a way to force z/OS FTP client to use TLS 1.2 ? |
|
Back to top |
|
|
danik56
New User
Joined: 08 Mar 2017 Posts: 52 Location: Israel
|
|
|
|
I have enabled TLS V1.3 on server side. still same error. |
|
Back to top |
|
|
danik56
New User
Joined: 08 Mar 2017 Posts: 52 Location: Israel
|
|
|
|
I have the following JCL where I tried to generate GSK trace to see the SSL handshaking flow:
//S1 EXEC PGM=BPXBATCH,REGION=8M,
// PARM='sh ftp -d kalda01.ddns.net 2821 -f /u/smpe/z2ftp2.data'
//*
//STEPLIB DD DSN=CEE.SCEERUN,DISP=SHR
//STDERR DD PATH='/u/smpe/mystd1.err',
// PATHOPTS=(OWRONLY,OCREAT,OTRUNC),PATHMODE=SIRWXU
//STDOUT DD PATH='/u/smpe/mystd1.out',
// PATHOPTS=(OWRONLY,OCREAT,OTRUNC),PATHMODE=SIRWXU
//STDIN DD PATH='/u/smpe/ftp.sh',PATHOPTS=(ORDONLY)
//*
//STDENV DD *
GSK_TRACE=0xFFFF
GSK_TRACE_FILE=/u/smpe/gskfile.trc
GSK_PROTOCOL_TLSV1_2=ON
//
I am not getting any trace output in "/u/smpe/gskfile.trc "
can you tell me what I need to do in order to produce the SSL trace ? |
|
Back to top |
|
|
|