Interesting, as I believe I just resolved my issue, and I think it worked. My
issue was my method of specifying environment variables. I had them specified
in a single quoted string instead of two separate quoted strings, separated by
a comma. The following works (specified in a CEEOPTS DD):
ENVAR('GSK_PROTOCOL_TLSV1_2=1', 'GSK_V3_CIPHER_SPECS=3D35')
This does cause a warning that "specID 3D not recognized", but I think that is
simply a result of the FTP application trying to find a text representation for
a cipher that it doesn't know about. But at the System SSL level it all seems
to work.
With "DEBUG SEC" specified in my ftp.data<ftp://ftp.data> I see the following:
FC0334 ftpAuth: ........ cipherspecs =
FC0379 ftpAuth: environment_open()
FC0543 ftpAuth: environment_init()
FC0552 ftpAuth: environment initialization complete
EZA1701I >>> AUTH TLS
234 AUTH command OK. Initializing SSL connection.
FC1011 authServer: secure_socket_open()
FC1083 HSNOTIFY rc: 0
FC1088 authServer: secure_socket_init()
FU1316 tlsLevel: specID 3D not recognized
FU1325 tlsLevel: using TLSV1.2 (3D)
FC1171 authServer: gsk_attribute_get_cert_info()
FC1216 authServer: decode certificate length = 1575
EZA2895I Authentication negotiation succeeded
Everything seems to work. I won't be able to validate for 100% that it's using
a SHA256 MAC until the server is reconfigured to exclude SHA1 again, but I
think we're good.
Not that we shouldn't convert to AT-TLS at some point. But right now we just
want to get this working.
Frank
________________________________
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of
John S. Giltner, Jr. <gil...@gmail.com>
Sent: Wednesday, February 24, 2021 3:37 PM
To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU>
Subject: Re: FTP with TLSv1.2 and SHA256
I just went through this and had a PRM with IBM. FTP will use TLSv1.2 as you
have found buy using env variables, but you are limited to the cipher specs it
supports natively. It will not honor anything you try and code with env
variables. You will need to use AT-TLS.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
