Re: SSL/TLS Woes FTP

If you have activated GSK trace via the environment variable someone
mentioned earlier, the grace will be written to a file in the /tmp
directory. It will have gsk somewhere in the name, and some kind of numeric
qualifier to make it unique. I forget exactly what it looks like, but you
should be able to find it by browsing the directory.

The file needs to be formatted with the gsktrace command. gsktrace writes
to stdout, so you'll probably want to redirect it to a file for browsing.
gsktrace tracefile > outputfile
Then you'll probably have to find somebody else to interpret it. Any time I
had to look at one, I shipped it to IBM for help.

If you're specifying firewallfriendly (passive mode), that means your
server needs to allow incoming connections to ports higher than 1024. Is
the server behind a firewall? If so, you may need firewall adjustments.

The z/OS FTP client is also very picky about server certificates. It
doesn't like self-signed certs, or certs signed by an unknown CA. Many
clients, when presented with such a cert, will prompt the user whether to
accept it. The z/OS client will not. It just quits. I don't think it even
issues any visible message to the user, unless tracing is turned on. The
server cert must be signed by a CA acceptable to the client, meaning the CA
cert must be in the keyring used by the client.

When your handshake fails, does it fail quickly, or does it wait for a while
and seem to timeout? If it fails quickly, then it's probably some kind of
negotiation problem. If it times out, then it's probably a firewall
problem, with the firewall throwing away the "offending" traffic so you
never get a response.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
.

Relevant Pages

  • RE: OWA page not displayed Outside
    ... Open ISA 2006 management console. ... Expand the server node and highlight 'Monitoring'. ... Click 'Configure Firewall Logging'. ... |> internal client as both the web proxy client and firewall client? ...
    (microsoft.public.windows.server.sbs)
  • Re: Small business thinking about backing up data, having a server and 2-3 users - is SBS200
    ... is networked to the Master with a crossover network cable. ... Master on the Master PC and Client on the Slave pc. ... Since this machine is a server is should handle the requests ok ... Most real firewall appliances have HTTP and SMTP proxy services that allow ...
    (microsoft.public.windows.server.sbs)
  • RE: Certificate logon on Unix
    ... I don't know of any package but there is prolly one out there you should ... The good news is that getting fulle client ... and server side authentication is pretty easy so it will work as a quick ... setup your CA and make the root cert Pbk available to everyone. ...
    (Security-Basics)
  • Re: IIS website - only allow users with client cert from our CA. P
    ... Rootyou wish to permit certificates issued from for access to your site. ... our CA's client cert? ... I only have a server certificate from our CA ...
    (microsoft.public.inetserver.iis.security)
  • Re: ISA firewall block outgoing email.
    ... I cannot send/receive email to the POP3 account unless I turn off the firewall in the CEICW. ... (This server is behind a router so I felt the test was safe enough to turn off the firewall). ... As I said, there is no need to add a hole for port 110, If the ISA client is installed on the workstation, Outlook will deliver the email. ...
    (microsoft.public.windows.server.sbs)