Re: More SSL/TLS and FTP woes



I have to ask: why you care? You can control FTP's behavior in FTPSDATA
and FTPCDATA respectively.

I also am curious about your reference to 'implicit' secure FTP. FTP
negotiates the session security starting from in the clear to the
maximum supported by both sites. You can set a floor above in the clear
if you want.

Lastly, using a specific port for much of anything but an initial
handshake is not something I think you'd want to do except on PC's.
Since the resultant port pair for FTP is going to be random, why do we
care where it starts?

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@xxxxxxxxxxx] On
Behalf Of Chase, John
Sent: Wednesday, October 17, 2007 9:03 AM
To: IBM-MAIN@xxxxxxxxxxx
Subject: More SSL/TLS and FTP woes

Hi, All,

I couldn't find anything relevant to the "problem du jour" in the
archives or the CS for z/OS 1.7 TCPIP Implementation Volume 2 Redbook,
so......

I'm able to employ SSL/TLS for FTP using the Bluezone FTP client, but
only if I configure it to use port 21 and "AUTH_TLS". I cannot get it
working via "implicit" secure FTP using port 990; the z/OS 1.7 FTPD
replies "connection refused". AFAICT, I have "all the ducks lined up in
a row", with one possible exception: I don't explicitly "reserve" port
990 (and 989?) in the PORT configuration statement of PROFILE.TCPIP.
The IP Configuration Reference manual "suggests" it's not necessary to
do so.

Might this be the "missing link" after all? Do I need to (additionally)
explicitly specify the statements in FTP.DATA that the manual says are
defaults for TLS_PORT, etc.?

TIA,

-jc-


NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message,
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution
is strictly prohibited. If you have received this message in error, please
immediately advise the sender by reply email and delete all copies.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
.



Relevant Pages

  • RE: Telnet/ftp problems SBS2000
    ... Please make sure your client computers are configured as both Firewall ... will find two options "Enable folder view for FTP sites" and "Use Passive ... that the control connection has been successfully established, ... (other than port 21) ...
    (microsoft.public.windows.server.sbs)
  • SMART FTP
    ... Ftp Client To Smart How ... Active Mode Ftp Port Limit Smart ... Pro Keygen Ftp Smart Client ...
    (sci.anthropology)
  • FTP transfer port
    ... FTP transfer port ... the FTP server "listens" for client connections on its port 21. ... it will establish a separate control connection and data connection with ...
    (bit.listserv.ibm-main)
  • Re: Hacked? External address knocks on internal private address...
    ... The important part of your message is that FTP is allowed out... ... You open a connection to an FTP Server and logon. ... When you ask the server for a file the server issues a "PORT" command ... so it can open a port on the firewall to allow the incoming Data ...
    (comp.security.firewalls)
  • Re: Question: FTP via alternate port
    ... The problem with FTP is that it requires two ports to operate. ... FTP command stream in order to dynamically open that port for the data ... Ideally the attacker would want to upload another tool onto the ...
    (Pen-Test)