Hi Miguel, Thanks Miguel, you confirmed my understanding - but the darned client isn't behaving the way it should. The client is Attachmate InfoConnect 8.1. When a TN3270 client connects using SSL in Config 1 (explicit, no SECURE parm on PORT) I see the connection open, the IP and port are reported, and the connection closes immediately in the TCPIP console log. There is nothing on the SSL server console (with TRACE ALL): 11:37:08 DTCSTM305I Telnet server: Secure Connections are ALLOWED 11:37:08 DTCSTM309I Telnet server: TLS Label is NOTSHOWN 11:44:17 DTCSTM163I Telnet server: Conn 0: Connection opened 03/25/09 at 11:44:17 11:44:17 DTCPRC150I Conn 0: Foreign internet address and port: net address = 10.215.0.218, port= 3651 11:44:17 DTCSTM349I Telnet server: Conn 0: Connection closed 03/25/09 at 11:44:17 When a TN3270 client connects using SSL in Config 2 (implicit with SECURE parm on PORT) I see the connection open, the SSL server reports securing the connection, and the LDSF device is created: 11:31:24 DTCSTM305I Telnet server: Secure Connections are ALLOWED 11:31:24 DTCSTM309I Telnet server: TLS Label is NOTSHOWN 11:32:16 DTCSTM163I Telnet server: Conn 0: Connection opened 03/25/09 at 11:32:16 11:32:16 DTCPRC150I Conn 0: Foreign internet address and port: net address = 10.215.0.218, port= 3614 11:32:17 DTCSTM132I Conn 0: Ldsf device 00000003 created and on the SSL server console: Client 10.215.0.218:3614 Port 23 Label NOTSHOWN Cipher RC4_128_MD5 Connection established Something is misbehaving................... :( PS: This is on z/VM 5.4 with the CMS-based SSL server PTFs. -Mike
-----Original Message----- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Miguel Delapaz Sent: Wednesday, March 25, 2009 10:18 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Encryption For TN3270 Mike, > Does TN3270 support explicit/implicit SSL/TLS the same way? For > example, if I set up an explicit connection by using the TLSLABEL > and SECURECONNECTION ALLOWED statements in the INTERNALCLIENTPARMS > will the TN3270 client "negotiate" SSL much the same way FTP does > with AUTH TLS? When configuring for explicit do I also need to use > the SECURE parm on the PORT? TN3270 behaves the same way as FTP. If the clients are going to negotiate security, there is no need for the SECURE option on the port statement. > > I'm asking this because what I'm seeing in my tests has me a bit confused. > > Config 1: > > TLSLABEL and SECURECONNECTION ALLOWED in INTERNALCLIENTPARMS. PORT > does not have SECURE parm. In this configuration we see the > "Secure connections are ALLOWED" and "TLSLABEL is...." messages in > the TCPIP startup log, but SSL-enable clients cannot connect. Non- > SSL clients can connect OK. What client(s) are you using? Regards, Miguel Delapaz z/VM Development