× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2020

Re: Secure FTP (FTPS) battle when moving to V7R4

Port 21 is normally not SSL for FTPS. Its normally 990.

See my other reply on that for the -16 return code.

I've also got lots of SSL info here:
https://www.fieldexit.com/forum/display?threadid=388

and here:
https://docs.bvstools.com/home/ssl-documentation

On Fri, Feb 14, 2020 at 11:53 AM Rob Berendt <rob@xxxxxxxxx> wrote:

You may only think you are past the cipher issue...
Check out this -16 return code situation

https://www.ibm.com/support/pages/secure-ftp-failing-after-applying-ptf-ibmi-operating-system-secure-connection-error-return-code-16-sterling-gentranserver-iseries

However here's an alternative to ciphers when dealing with the -16 error
https://archive.midrange.com/midrange-l/200805/msg00283.html

More stuff:
https://www.ibm.com/support/pages/node/639747


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com


-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Troy Hyde
Sent: Friday, February 14, 2020 9:01 AM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: Secure FTP (FTPS) battle when moving to V7R4

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know
the content is safe.


Sometimes something is so far out of your wheelhouse that you are not even
sure what you don’t know that you don’t know. When that’s the case but
you’re the one in the building that knows the most about it, it become
comic.



We have a client that upgraded their server (a whole new box.) They went
from V7R1 to V7R4 and we have been unable to get a secure FTP connection
(that was working before) working now.



For this process we use the command line FTP feature. FTP
RMTSYS('xxx.xxx.xxx.xxx') SECCNN(*SSL). We have setup the digital
certificate manager settings so the IBM i TCP/IP FTP Client is configured
as closely as possible to the way it was setup on the old box. The
connection’s certificates are included in the CA Trust List and the Cipher
suites seem to be correclty defined.

When we attempt to connect, we get connected and then immediately
disconnected:

Connecting to remote host 198.217.221.3 using port 21.

220-FTP 13:29:00 on 2020-02-14.

220--------------------------------------------------------------------

220-This is a restricted system and is for the express use by authorized

220-personnel only. Unauthorized attempts to defeat or circumvent

…… continues for a while

220--------------------------------------------------------------------

220 Connection will close if idle for more than 12 minutes.

AUTH TLS

234 Security environment established - ready for negotiation

Secure connection error, return code -16.



For the longest time we were then getting

Secure connection error, return code -1.

Help indicates: “Secure Sockets Layer (SSL) function SSL_Handshake returned
code -1: No ciphers available or specified.”



After a lot delete and create of stores and self-signed certificates,
configuring the application to use the supported suites, changing of QSSL*
system values and a thousand other combinations of attempts, it appears the
proper cipher suite is now being used. We are now getting code -16 instead.
16 is described as “The peer system is not recognized.”



First I’m not sure if this means that they are disconnecting us because
they don’t recognize us or we are disconnecting them because we don’t trust
them.



Secondly, any suggestions for where in the world we go from here?


Troy Hyde
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.