Oh, and the AT-TLS error was 402.
BPXF024I (STSYSLOG) May 12 20:26:41 XXXXX/TCPIP TCPIP 256
TTLS[280]: 15:26:41 TCPIP EZD1286I TTLS Error GRPID: 00000017
ENVID: 0000008B CONNID: 0000C6AD LOCAL: xxx.xxx.xxx.xxx..7199 REMOTE:
170.225.15.117..21 JOBNAME: XXXXRECV USERID: XXXX RULE:
Secure_FTP_Client_9921
RC: 402 Initial Handshake 0000000000000000
00000052FDA4BC900000000000000000
Which is "402: An SSL cipher suite could not be agreed upon between the
client and server. "
On 5/12/2021 3:47 PM, Michael Babcock wrote:
Kurt,
Unless I'm doing something wrong, my testing does not bear that out.
The only cipher in the list was:
# Allow only AES ciphers
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
PAGENT was refreshed. Here’s the DEBUG ALL output.
SC0588 initConnection: Calling getaddrinfo() with
deliverycb-bld.dhe.ibm.com
SC0627 initConnection: getaddrinfo() returned.
SC0798 initNamedConnection: entered
SC0960 initIPv4Connection: entered
CY3336 access_via_socks_server: entered
Connecting to: dispby-117.boulder.ibm.com 170.225.15.117 port: 21.
SC3362 getReply: entered
SC4549 getNextReply: entered with waitForData = TRUE
220-IBM's internal systems must only be used for conducting IBM's
SC4549 getNextReply: entered with waitForData = TRUE
220-business or for purposes authorized by IBM management.
SC4549 getNextReply: entered with waitForData = TRUE
220-
SC4549 getNextReply: entered with waitForData = TRUE
220-Use is subject to audit at any time by IBM management.
SC4549 getNextReply: entered with waitForData = TRUE
220-
SC4549 getNextReply: entered with waitForData = TRUE
220-
SC4549 getNextReply: entered with waitForData = TRUE
220 dhebpcb01 secure FTP server ready.
SC4241 getLastReply: entered
SC4241 getLastReply: entered
SC4241 getLastReply: entered
SC7601 update_cntl_appldata: entered
GU5351 ftpSetApplData: entered
FC0259 ftpAuth: entered
FC0294 ftpAuth: security values: mech=TLS, tlsmech=ATTLS, tlsreuse=N,
sFTP=R, sCC=P, sDC=P
FC2895 ftpAuthAttls: entered
FC2971 ftpAuthAttls: AT-TLS policy set as application controlled.
FU2410 printAttlsPolicyNames: entered
FU2420 TTLSRule: Secure_FTP_Client_9921
FU2426 TTLSGroupAction: grp_Production
FU2432 TTLSEnvironmentAction: Secure_FTP_Client_Env_Ext
FU2439 TTLSConnectionACtion: Secure_FTP_Conn_Ext
SC2899 sendCmd: entered
>>> AUTH TLS
SC3362 getReply: entered
SC4549 getNextReply: entered with waitForData = TRUE
234 SSLv23/TLSv1
SC4241 getLastReply: entered
FC3101 authServerAttls: entered
SC4405 getFNDELAY: entered
SC4440 setFNDELAY: entered
FC3140 authServerAttls: Start Handshake
FC3149 authServerAttls: ioctl() failed on SIOCTTLSCTL - EDC8121I
Connection reset. (errno2=0x77A9733D)
SC4440 setFNDELAY: entered
Authentication negotiation failed
SC4289 inSession: entered
*** Control connection with dispby-117.boulder.ibm.com dies.
SC4332 SETCEC code = 10
SC3610 endSession: entered (sn=1BE35B18)
SC2776 dataClose: entered
SC3693 endSession: recv() failed - EDC8121I Connection reset.
(errno2=0x76650446)
CZ1459 ftpClose: entered
SC4289 inSession: entered
SC4367 setLoggedIn: entered
You must first issue the 'OPEN' command
The rest of the ciphers were re-added and PAGENT refreshed.
# Allow only AES ciphers
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_RSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
V3CipherSuites TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
V3CipherSuites TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_DH_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_AES_256_CBC_SHA256
V3CipherSuites TLS_DH_RSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
V3CipherSuites TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
}
Here’s the DEBUG ALL output for that. As you can see the 009D cipher
was picked. It did not pick one of the stronger ciphers even though
TLSv1.2 was used.
SC0588 initConnection: Calling getaddrinfo() with
deliverycb-bld.dhe.ibm.com
SC0627 initConnection: getaddrinfo() returned.
SC0798 initNamedConnection: entered
SC0960 initIPv4Connection: entered
CY3336 access_via_socks_server: entered
Connecting to: dispby-117.boulder.ibm.com 170.225.15.117 port: 21.
SC3362 getReply: entered
SC4549 getNextReply: entered with waitForData = TRUE
220-IBM's internal systems must only be used for conducting IBM's
SC4549 getNextReply: entered with waitForData = TRUE
220-business or for purposes authorized by IBM management.
SC4549 getNextReply: entered with waitForData = TRUE
220-
SC4549 getNextReply: entered with waitForData = TRUE
220-Use is subject to audit at any time by IBM management.
SC4549 getNextReply: entered with waitForData = TRUE
220-
SC4549 getNextReply: entered with waitForData = TRUE
220-
SC4549 getNextReply: entered with waitForData = TRUE
220 dhebpcb01 secure FTP server ready.
SC4241 getLastReply: entered
SC4241 getLastReply: entered
SC7601 update_cntl_appldata: entered
GU5351 ftpSetApplData: entered
FC0259 ftpAuth: entered
FC0294 ftpAuth: security values: mech=TLS, tlsmech=ATTLS, tlsreuse=N,
sFTP=R, sC
C=P, sDC=P
FC2895 ftpAuthAttls: entered
FC2971 ftpAuthAttls: AT-TLS policy set as application controlled.
FU2410 printAttlsPolicyNames: entered
FU2420 TTLSRule: Secure_FTP_Client_9921
FU2426 TTLSGroupAction: grp_Production
FU2432 TTLSEnvironmentAction: Secure_FTP_Client_Env_Ext
FU2439 TTLSConnectionACtion: Secure_FTP_Conn_Ext
SC2899 sendCmd: entered
>>> AUTH TLS
SC3362 getReply: entered
SC4549 getNextReply: entered with waitForData = TRUE
234 SSLv23/TLSv1
SC4241 getLastReply: entered
FC3101 authServerAttls: entered
SC4405 getFNDELAY: entered
SC4440 setFNDELAY: entered
FC3140 authServerAttls: Start Handshake
SC4440 setFNDELAY: entered
FC3171 authServerAttls: FIPS140 not enabled
FC3208 authServerAttls: Using TLSv1.2 protocol
FC3226 authServerAttls: SSL cipher: 009D
FU2091 getCtrlConnCertAttls: entered
FU2135 getCtrlConnCertAttls: Request certificate, size 1581
FU2739 getSessionIdAttls: entered
FU2755 getSessionIdAttls: Issuing SIOCTTLSCTL to get decoded AT-TLS
Session ID
Authentication negotiation succeeded
FC2028 setdlevel: entered
FC2197 setpbsz: entered
SC2899 sendCmd: entered
>>> PBSZ 0
SC3362 getReply: entered
SC4549 getNextReply: entered with waitForData = TRUE
200 PBSZ=0
SC4241 getLastReply: entered
SC2899 sendCmd: entered
>>> PROT P
SC3362 getReply: entered
SC4549 getNextReply: entered with waitForData = TRUE
200 Command PROT okay.
On 5/12/2021 12:34 PM, Kurt Quackenbush wrote:
On 5/10/2021 4:57 PM, Michael Babcock wrote:
I did some testing on our sandbox (I commented out all ciphers
except the
one I was interested in and refreshed policy agent) and here’s what
I found.
<snip>
The ECDHE ciphers were rejected but the TLS_RSA_WITH_AES_256_CBC_SHA
did
work (I didn’t try the TLS_RSA_WITH_AES_128_CBC_SHA cipher).
In spite of what the IBM Support page says, my tests show the
following ciphers enabled on the delivercb-bld.dhe.ibm.com server:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
This was confirmed by an individual that supports the server. The
ciphers mentioned on the IBM Support page are a subset of the ciphers
actually enabled.
https://www.ibm.com/support/pages/node/6417233
I hope this helps. Is anyone still having trouble connecting?
Kurt Quackenbush -- IBM, SMP/E Development
Chuck Norris never uses CHECK when he applies PTFs.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
