That's not the issue. GSK_PROTOCOL_TLSV1_2=1 is correct and works. It's the cipherspecs that are at issue.
________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Roberto Halais <roberto.hal...@gmail.com> Sent: Wednesday, February 24, 2021 5:39 AM To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU> Subject: Re: FTP with TLSv1.2 and SHA256 I read in a presentation that you specify GSK_PROTOCOL_TLSV1_2=ON Test this. On Tue, Feb 23, 2021 at 8:38 PM Frank Swarbrick <frank.swarbr...@outlook.com> wrote: > We are not currently using AT-TLS for FTP. > We are currently activating TLSv1.2 support with the following environment > variable: > GSK_PROTOCOL_TLSV1_2=1 > > This works fine and allows us to use (default) cipherspec 35: > TLS_RSA_WITH_AES_256_CBC_SHA (FU1330 tlsLevel: using TLSV1.2 with > SSL_AES_256_SHA (35)). > > This cipherspec uses a SHA-1 hash, and we want to eliminate use of SHA-1. > So I'm trying to figure out how to use cipherspec 3D: > TLS_RSA_WITH_AES_256_CBC_SHA256. > > It doesn't look like the FTP client supports explicit use of SHA256 > hashes, as far as I can tell. There does not appear to be a CIPHERSUITE > statement value to utilize SHA256. So I've been trying to use a GSK > environment variable to specify it. I've tried all of the following, and > none seem to work: > > GSK_V3_CIPHER_SPECS=3D > GSK_V3_CIPHER_SPECS="3D" > GSK_V3_CIPHER_SPECS_EXPANDED=003D > GSK_V3_CIPHER_SPECS_EXPANDED="003D" > > All of them get the following (when DEBUG SEC is specified in my ftp.data< > ftp://ftp.data> file): > FC0334 ftpAuth: ........ cipherspecs = > FC0379 ftpAuth: environment_open() > FC0383 ftpAuth: open of the TLS environment failed with rc = 703 > (Enumeration is not valid) > EZA2897I Authentication negotiation failed > > I am thinking that we might have to bite the bullet and use ATTLS instead, > but if anyone has been successful using a SHA256 cipherspec without it I'd > love to hear your thoughts. > > Thanks, > Frank > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Politics: Poli (many) - tics (blood sucking parasites) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN