> -----Original Message-----
> From: IBM Mainframe Discussion List On Behalf Of Bri P
>
> My main requirement is that the userid and password is sent AFTER the TLS
> encryption has been
> established, I don't want clients signing in with login credentials sent in
> clear, before establishing
> encryption one in-session by issuing an AUTH command, for example.
TLS encryption is established before credentials are solicited.
> From a 'purist' viewpoint, port 990 is apparently reserved for FTPS, rather
> than port 21, and I know
> that our auditors will scan those and claim port 21 is a risk due to being in
> clear.
>
> I assumed that I could only guarantee that encryption was established (or the
> connection rejected) if
> I used AUTH REQUIRED in the FTP server parms, but obviously specifying that
> will compromise those
> clients who cannot yet, or don't want to, connect this way. So I considered a
> separate server. If I
> can use AUTH ALLOWED rather than REQUIRED and still do the above, then I'm
> happy to continue on port
> 21 and let the client negotiate at connect time.. I'll just argue with the
> auditors. But there's
> nothing new there, anyway..
Let the client specify whether TLS is required or just "preferred".
-jc-
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
