IBM Mainframe Forum Index
 
Log In
 
IBM Mainframe Forum Index Mainframe: Search IBM Mainframe Forum: FAQ Register
 

Unable to connect FTP over TLS from z/OS to Ubuntu 20.04


IBM Mainframe Forums -> All Other Mainframe Topics
Post new topic   Reply to topic
View previous topic :: View next topic  
Author Message
danik56

New User


Joined: 08 Mar 2017
Posts: 44
Location: Israel

PostPosted: Thu Jan 13, 2022 5:11 pm
Reply with quote

Has anyone succedded in sending files via FTPs from z/OS to VSFTP or PROFTPD on Ubunto 20.04? I have been trying for a couple of days to figure out how this could work with not much success....always getting this error:

error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol

I followed the guidlines here:

www.ibm.com/docs/en/zos/2.4.0?topic=security-steps-customizing-ftp-client-tls

Linux system running on Ubunto 20.4, z/os is version 2.4
Back to top
View user's profile Send private message
danik56

New User


Joined: 08 Mar 2017
Posts: 44
Location: Israel

PostPosted: Sun Mar 06, 2022 9:31 pm
Reply with quote

Anyone ?
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8612
Location: Dubuque, Iowa, USA

PostPosted: Mon Mar 07, 2022 2:14 am
Reply with quote

Quote:
Anyone ?
Prompting for replies is not typically a good strategy on a forum. Responses are voluntary and depend upon people having the time, interest, and knowledge to respond. It is normal for responses to take hours ... days ... weeks ... months and asking over and over for replies will usually cause the people who could respond to decide your post isn't worth it.

The "unsupported protocol" led me to Google "14209102" where I found that the server is most likely requiring a higher level of TLS than the client can provide. You probably will need to either change the configuration or upgrade the software on your client before you will be able to connect.
Back to top
View user's profile Send private message
danik56

New User


Joined: 08 Mar 2017
Posts: 44
Location: Israel

PostPosted: Mon Mar 07, 2022 11:16 am
Reply with quote

When debug is turned on (on server side) the following additional info is provided:


2022-03-06 18:26:20,729 mod_tls/2.7[2243229]: [info] accepting: before SSL initialization

2022-03-06 18:26:20,731 mod_tls/2.7[2243229]: [msg] received protocol record message (5 bytes)

2022-03-06 18:26:20,732 mod_tls/2.7[2243229]: [info] accepting: before SSL initialization

2022-03-06 18:26:20,732 mod_tls/2.7[2243229]: [msg] received TLSv1.3 'ClientHello' Handshake message (47 bytes)

2022-03-06 18:26:20,732 mod_tls/2.7[2243229]: [msg]

ClientHello:

client_version = TLS 1.0

random:

gmt_unix_time = Sun Mar 06 16:26:48 2022 (not guaranteed to be accurate)

random_bytes (28 bytes)

06eb9dcb92a30e6ad9610da9fadec5314418514fe61d1e0125e0c77b

session_id (0 bytes)

cipher_suites (4 bytes)

TLS_EMPTY_RENEGOTIATION_INFO_SCSV

SSL_RSA_WITH_RC4_128_SHA

compression_methods (1 byte)

None

extensions: None


2022-03-06 18:26:20,732 mod_tls/2.7[2243229]: [msg] sent protocol record message (5 bytes)

2022-03-06 18:26:20,732 mod_tls/2.7[2243229]: [info] writing: SSL/TLS alert fatal: protocol version

2022-03-06 18:26:20,732 mod_tls/2.7[2243229]: [info] accepting: error

2022-03-06 18:26:20,732 mod_tls/2.7[2243229]: unable to accept TLS connection: protocol error:

(1) error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol


So it appears client saying the protocol is TLS 1.3 and server is only supporting TLS 1.2

Is there a way to force z/OS FTP client to use TLS 1.2 ?
Back to top
View user's profile Send private message
danik56

New User


Joined: 08 Mar 2017
Posts: 44
Location: Israel

PostPosted: Mon Mar 07, 2022 2:04 pm
Reply with quote

I have enabled TLS V1.3 on server side. still same error.
Back to top
View user's profile Send private message
danik56

New User


Joined: 08 Mar 2017
Posts: 44
Location: Israel

PostPosted: Fri Mar 11, 2022 3:39 pm
Reply with quote

I have the following JCL where I tried to generate GSK trace to see the SSL handshaking flow:


//S1 EXEC PGM=BPXBATCH,REGION=8M,

// PARM='sh ftp -d kalda01.ddns.net 2821 -f /u/smpe/z2ftp2.data'

//*

//STEPLIB DD DSN=CEE.SCEERUN,DISP=SHR

//STDERR DD PATH='/u/smpe/mystd1.err',

// PATHOPTS=(OWRONLY,OCREAT,OTRUNC),PATHMODE=SIRWXU

//STDOUT DD PATH='/u/smpe/mystd1.out',

// PATHOPTS=(OWRONLY,OCREAT,OTRUNC),PATHMODE=SIRWXU

//STDIN DD PATH='/u/smpe/ftp.sh',PATHOPTS=(ORDONLY)

//*

//STDENV DD *

GSK_TRACE=0xFFFF

GSK_TRACE_FILE=/u/smpe/gskfile.trc

GSK_PROTOCOL_TLSV1_2=ON

//


I am not getting any trace output in "/u/smpe/gskfile.trc "

can you tell me what I need to do in order to produce the SSL trace ?
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic View Bookmarks
All times are GMT + 6 Hours
Forum Index -> All Other Mainframe Topics

 


Similar Topics
Topic Forum Replies
No new posts DFHCSDUP EXTRACT unable to open outpu... CICS 5
No new posts Connect:Direct Add yesterday date in ... All Other Mainframe Topics 3
No new posts Unable to retrieve Datasets Names usi... CLIST & REXX 20
No new posts FTP - connect with certificate, no pa... JCL & VSAM 1
No new posts Unable to display comp variable COBOL Programming 4
Search our Forums:

Back to Top