My main requirement is that the userid and password is sent AFTER the TLS encryption has been established, I don't want clients signing in with login credentials sent in clear, before establishing encryption one in-session by issuing an AUTH command, for example.
>From a 'purist' viewpoint, port 990 is apparently reserved for FTPS, rather >than port 21, and I know that our auditors will scan those and claim port 21 >is a risk due to being in clear. I assumed that I could only guarantee that encryption was established (or the connection rejected) if I used AUTH REQUIRED in the FTP server parms, but obviously specifying that will compromise those clients who cannot yet, or don't want to, connect this way. So I considered a separate server. If I can use AUTH ALLOWED rather than REQUIRED and still do the above, then I'm happy to continue on port 21 and let the client negotiate at connect time.. I'll just argue with the auditors. But there's nothing new there, anyway.. Brian -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Hal Merritt Sent: 21 January 2009 15:39 To: [email protected] Subject: Re: Multiple FTP servers? If the client wants TLS, then all they have to do is say so in their FTP connection parms (-r -x IIRC). I can see value in making sure a connection is encrypted, but it seems like that's really up to the client. Just my $0.02, being a simple minded sort :-) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
