> -----Original Message----- > From: IBM Mainframe Discussion List On Behalf Of Bri P > > My main requirement is that the userid and password is sent AFTER the TLS > encryption has been > established, I don't want clients signing in with login credentials sent in > clear, before establishing > encryption one in-session by issuing an AUTH command, for example.
TLS encryption is established before credentials are solicited. > From a 'purist' viewpoint, port 990 is apparently reserved for FTPS, rather > than port 21, and I know > that our auditors will scan those and claim port 21 is a risk due to being in > clear. > > I assumed that I could only guarantee that encryption was established (or the > connection rejected) if > I used AUTH REQUIRED in the FTP server parms, but obviously specifying that > will compromise those > clients who cannot yet, or don't want to, connect this way. So I considered a > separate server. If I > can use AUTH ALLOWED rather than REQUIRED and still do the above, then I'm > happy to continue on port > 21 and let the client negotiate at connect time.. I'll just argue with the > auditors. But there's > nothing new there, anyway.. Let the client specify whether TLS is required or just "preferred". -jc- ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html