Opened 9 years ago

Closed 9 years ago

Last modified 6 years ago

#5475 closed Bug report (fixed)

Failed to connect to z/OS V1.8 using "FTP over explicit TLS/SSL"

Reported by: Sam Owned by:
Priority: high Component: FileZilla Client
Keywords: FTP over explicit TLS/SSL Cc:
Component version: Operating system type: Other
Operating system version:

Description

My client is WINXP SP3. My host is z/OS V1.8 with a FTPD running.

Here is the log:

Status: Connecting to 192.xxx.xx.xx:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220-FTPD1 IBM FTP CS V1R8 at PROD, 09:06:34 on 2010-07-20.
Trace: CFtpControlSocket::OnReceive()
Response: 220 Connection will close if idle for more than 5 minutes.
Trace: CFtpControlSocket::SendNextCommand()
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 Security environment established - ready for negotiation
Status: Initializing TLS...
Trace: CTlsSocket::Handshake()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnSend()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::Failure(-12, 10053)
Trace: GnuTLS alert 80: Internal error
Error: GnuTLS error -12: A TLS fatal alert has been received.
Trace: CRealControlSocket::OnClose(10053)
Trace: CControlSocket::DoClose(64)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)
Status: Waiting to retry...
Trace: CControlSocket::DoClose(64)
Trace: CControlSocket::DoClose(64)
Status: Connecting to 192.xxx.xx.xx:21...
Status: Connection established, waiting for welcome message...
Trace: CFtpControlSocket::OnReceive()
Response: 220-FTPD1 IBM FTP CS V1R8 at PROD, 09:06:39 on 2010-07-20.
Trace: CFtpControlSocket::OnReceive()
Response: 220 Connection will close if idle for more than 5 minutes.
Trace: CFtpControlSocket::SendNextCommand()
Command: AUTH TLS
Trace: CFtpControlSocket::OnReceive()
Response: 234 Security environment established - ready for negotiation
Status: Initializing TLS...
Trace: CTlsSocket::Handshake()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnSend()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::OnRead()
Trace: CTlsSocket::ContinueHandshake()
Trace: CTlsSocket::Failure(-12, 10053)
Trace: GnuTLS alert 80: Internal error
Error: GnuTLS error -12: A TLS fatal alert has been received.
Trace: CRealControlSocket::OnClose(10053)
Trace: CControlSocket::DoClose(64)
Trace: CFtpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)

Here below is my z/OS's TLS setting in FTPSDATA, which is the config file for ftp server:

TLSRFCLEVEL RFC4217
EXTENSIONS AUTH_TLS
SECURE_PASSWORD OPTIONAL
CIPHERSUITE SSL_NULL_MD5
CIPHERSUITE SSL_NULL_SHA
CIPHERSUITE SSL_RC4_MD5_EX
CIPHERSUITE SSL_RC4_MD5
CIPHERSUITE SSL_RC4_SHA
CIPHERSUITE SSL_RC2_MD5_EX
CIPHERSUITE SSL_DES_SHA
CIPHERSUITE SSL_3DES_SHA
CIPHERSUITE SSL_AES_128_SHA
CIPHERSUITE SSL_AES_256_SHA
KEYRING TCPSTC/TCPRING

I have already applied the PTF for z/OS V1.8, UO00701. Please help.

Change History (1)

comment:1 Changed 9 years ago by Sam

Resolution: fixed
Status: newclosed

I have already solved the problem. It was caused by my server certificate defined at z/OS.

The correct procedure should be:
(1) Define a self-signed certificate at z/OS.
(2) Define a key ring, e.g. FTPRING, owned by ID(FTPD)
(3) Connect the self-signed certificate to the keyring with the following attributes:

Cert. Owner = ID(FTPD)
USAGE = Personal
DEFAULT = YES

(4) Export the self-signed certificate to data set. Download the data set to client.
(5) Import the downloaded cert file using PCOMM's IBM Key Management or through 'Control Panel'=>'Internet options'=>'Contents'=>'Certificate' under 'Trusted Root Certificate Authorities'.
(6) Start using FileZilla to establish a TLS ftps session with 'Server type'='FTPES - FTP over explicit TLS/SSL'

BINGO!!!

Note: See TracTickets for help on using tickets.