× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2020

RE: Secure FTP (FTPS) battle when moving to V7R4

Hi,
This is how it looks like in an lpar not far from here 😊
V7R4:
Sequence Cipher
number Suite
0
10 *AES_128_GCM_SHA256
20 *AES_256_GCM_SHA384
30 *CHACHA20_POLY1305_SHA256
40 *ECDHE_ECDSA_AES_128_GCM_SHA256
50 *ECDHE_ECDSA_AES_256_GCM_SHA384
60 *ECDHE_RSA_AES_128_GCM_SHA256
70 *ECDHE_RSA_AES_256_GCM_SHA384

The first three lines are new, the others are found in V7R3 as well.

V7R3:
0
10 *ECDHE_ECDSA_AES_128_GCM_SHA256
20 *ECDHE_ECDSA_AES_256_GCM_SHA384
30 *ECDHE_RSA_AES_128_GCM_SHA256
40 *ECDHE_RSA_AES_256_GCM_SHA384
50 *RSA_AES_128_GCM_SHA256
60 *RSA_AES_256_GCM_SHA384
70 *ECDHE_ECDSA_AES_128_CBC_SHA256
80 *ECDHE_ECDSA_AES_256_CBC_SHA384
90 *ECDHE_RSA_AES_128_CBC_SHA256
100 *ECDHE_RSA_AES_256_CBC_SHA384

From line 50 and below have not made it thru V7R4

TLS 1.0 and TLS 1.1 are disabled out of a V7R4-box.

Best regards

stefan.tageson@xxxxxxxx
M +46 732 369934


Sensitivity: Internal

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Troy Hyde
Sent: den 14 februari 2020 15:01
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: Secure FTP (FTPS) battle when moving to V7R4

Sometimes something is so far out of your wheelhouse that you are not even sure what you don’t know that you don’t know. When that’s the case but you’re the one in the building that knows the most about it, it become comic.



We have a client that upgraded their server (a whole new box.) They went from V7R1 to V7R4 and we have been unable to get a secure FTP connection (that was working before) working now.



For this process we use the command line FTP feature. FTP
RMTSYS('xxx.xxx.xxx.xxx') SECCNN(*SSL). We have setup the digital certificate manager settings so the IBM i TCP/IP FTP Client is configured as closely as possible to the way it was setup on the old box. The connection’s certificates are included in the CA Trust List and the Cipher suites seem to be correclty defined.

When we attempt to connect, we get connected and then immediately
disconnected:

Connecting to remote host 198.217.221.3 using port 21.

220-FTP 13:29:00 on 2020-02-14.

220--------------------------------------------------------------------

220-This is a restricted system and is for the express use by authorized

220-personnel only. Unauthorized attempts to defeat or circumvent

…… continues for a while

220--------------------------------------------------------------------

220 Connection will close if idle for more than 12 minutes.

AUTH TLS

234 Security environment established - ready for negotiation

Secure connection error, return code -16.



For the longest time we were then getting

Secure connection error, return code -1.

Help indicates: “Secure Sockets Layer (SSL) function SSL_Handshake returned code -1: No ciphers available or specified.”



After a lot delete and create of stores and self-signed certificates, configuring the application to use the supported suites, changing of QSSL* system values and a thousand other combinations of attempts, it appears the proper cipher suite is now being used. We are now getting code -16 instead.
16 is described as “The peer system is not recognized.”



First I’m not sure if this means that they are disconnecting us because they don’t recognize us or we are disconnecting them because we don’t trust them.



Secondly, any suggestions for where in the world we go from here?


Troy Hyde
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.midrange.com%2Fmailman%2Flistinfo%2Fmidrange-l&amp;data=02%7C01%7CStefan.Tageson%40evry.com%7Cb590ab0954a148b3086a08d7b15665c0%7C40cc2915e2834a2794716bdd7ca4c6e1%7C1%7C1%7C637172856937865187&amp;sdata=16p3%2ByqsnKaQLXb6FYuH%2FgifbiNSml603CH61FJCbMM%3D&amp;reserved=0
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Farchive.midrange.com%2Fmidrange-l&amp;data=02%7C01%7CStefan.Tageson%40evry.com%7Cb590ab0954a148b3086a08d7b15665c0%7C40cc2915e2834a2794716bdd7ca4c6e1%7C1%7C1%7C637172856937865187&amp;sdata=ZTdZGWBBjFl3ToPFKtk%2FjkOA9bgkn64az%2BqxFnwFdoM%3D&amp;reserved=0.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Famazon.midrange.com&amp;data=02%7C01%7CStefan.Tageson%40evry.com%7Cb590ab0954a148b3086a08d7b15665c0%7C40cc2915e2834a2794716bdd7ca4c6e1%7C1%7C1%7C637172856937865187&amp;sdata=LPPbF5wByViXV0BZ1U6qQMVaD%2FEGDZRl8Q5AprWJJQw%3D&amp;reserved=0

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.