Boy wouldn't I love to move to sftp but the vendor doesn't support it.
I apologize in advance for the verbosity of this message.
I've gone back and asked our contact to confirm setup with the vendor.
The information I've been dealing with and have been posting here is
inaccurate at best.
Here's what I'm now told:
1. The connection must be an Explicit Passive Mode FTP-S connection with
TLS v1.2. connect to TCP21. (This is in opposition to the insistence
that is was implicit)
2. Supported ciphers on their side:
0x003D - TLS_RSA_WITH_AES_256_CBC_SHA256
0x0035 - TLS_RSA_WITH_AES_256_CBC_SHA
3. Signing Algorithm: sha256RSA
Key Usage: HANDSHAKE, DATAENCRYPT
Key Type: RSA
Key Size: 2048
With the changes I've implemented as described below, I'm getting a -97
message. The server side has been able to provide this trace:
Trace begin
21 -> 5251 <0.001 756 Rsp: 220-This is a restricted system and is
for the express use by...
21 <- 5251 0.127 86 Req: AUTH TLS
21 -> 5251 <0.001 114 Rsp: 234 Security environment established -
ready for negotiation
21 <- 5251 0.071 141 TLS1.2: HSHK( CLIENT_HELLO )
21 -> 5251 <0.001 52 Ack Psh Win=65533 Seq=2177834785
Ack=4113049937 TimeStamp
21 -> 5251 <0.001 4378 TLS1.2: HSHK( SERVER_HELLO CERTIFICATE...
21 <- 5251 <0.001 76 Ack Psh Fin Win=65535 Seq=4113049937
Ack=2177834785 TimeStamp
21 -> 5251 <0.001 52 Ack Psh Win=65533 Seq=2177839111
Ack=4113049938 TimeStamp
21 -> 5251 <0.001 52 Ack Psh Rst Win=65533 Seq=2177839111
Ack=4113049938 TimeStamp
Trace end
They point out that we are disconnecting ("Fin" on the 3rd to last line)
after they provide the certificate (the 4th to last line).
Everything below here is the current IBM i setup. The top section is
through the browser based Digital Certificate Manager. The last bit is
current system values.
Based on the information provided from the vendor, I created a new
client application in the digital certificate manager with the following
settings:
SECURE SESSION section
Protocols: TLS 1.2
Cipher Specifications: RSA_AES_256_CBC_SHA256
Signature Algorithms for Key Exchange:
RSA_SHA256
RSA_PSS_SHA512
RSA_PSS_SHA384
RSA_PSS_SHA256
ECDSA_SHA512
ECDSA_SHA384
ECDSA_SHA256
ECDSA_SHA224
RSA_SHA512
RSA_SHA384
RSA_SHA224
ECDSA_SHA1
RSA_SHA1
CERTIFICATE VALIDATION section
Signature Algorithms for Key Certificate:
RSA_SHA256
RSA_PSS_SHA512
RSA_PSS_SHA384
RSA_PSS_SHA256
ECDSA_SHA512
ECDSA_SHA384
ECDSA_SHA256
ECDSA_SHA224
RSA_SHA512
RSA_SHA384
RSA_SHA224
ECDSA_SHA1
RSA_SHA1
RSA_MD5
Define the CA Trust List: Yes
Trusted Certificate Authorities: The two certificates provided by the
vendor.
I have not assigned any certificates to the application.
------------------------------
Current system values:
QSSLCSLCTL =
*USRDFN
QSSLPCL =
*TLSV1.2
*TLSV1.3
QSSLCSL =
10 *RSA_AES_256_CBC_SHA256
20 *AES_128_GCM_SHA256
30 *AES_256_GCM_SHA384
40 *CHACHA20_POLY1305_SHA256
50 *ECDHE_ECDSA_AES_128_GCM_SHA256
60 *ECDHE_ECDSA_AES_256_GCM_SHA384
70 *ECDHE_RSA_AES_128_GCM_SHA256
80 *ECDHE_RSA_AES_256_GCM_SHA384
On 2/18/2020 3:34 PM, Patrik Schindler wrote:
Hello Troy,
Am 18.02.2020 um 22:16 schrieb Troy Hyde <troy.hyde@xxxxxxxxxxx>:
We have asked about the port and they confirmed it is correct. It's one of the first things we considered.
https://en.wikipedia.org/wiki/FTPS
990 is FTP with mandatory SSL (implicit),
21 is unencrypted FTP with optional SSL aka STARTTLS.
That's about the same as 465 is SMTP with mandatory SSL and 25 is SMTP plaintext with STARTTLS as option.
After reading about firewall incompatibilities, I'd opt to migrate to sftp which doesn't have all this additional port mess with firewalls in between not knowing about which ports to enably dynamically (because of the encrypted command channel).
:wq! PoC
PGP-Key: DDD3 4ABF 6413 38DE - https://www.pocnet.net/poc-key.asc
midrange.com
