IBM Support

Why is our Filezilla FTP client receiving GnuTLS error -110 when listing directory on z/OS FTP server?

Question & Answer


Question

We have FTPS configured on port 21 (security ALLOWED) and on port 990 (Security REQUIRED/Implicit). Filezilla connects successfully to the z/OS FTP server by using TLS to secure the control connection. But Filezilla cannot list the contents of a directory by using a TLS protected data connection.

The screen shot shows these Filezilla client messages: 

   Response:   125 List started OK 
   Error:      GnuTLS error -110 in gnu_tls_record_recv: The TLS 
               Connection was non-properly terminated. 
   Status:     Server did not properly shut down TLS connection 
   Error:      Could not read from transfer socket: ECONNABORTED - 
               Connection aborted 
   Response:   250 List completed successfully. 
   Error:      Failed to retrieve directory listing

We verified that there is no firewall between the client and the mainframe. We also verified that the customer can connect to port 21 in the clear but receives an error on the same client if they try to use SSL/TLS (active FTP).

Answer

In this situation it was found that the FTP server was configured (defaulted) to the draft level of the FTP/TLS RFCs. One effect of this is that the session is simply closed instead of first sending an SSL Close Alert message first.

If your TLSRFCLEVEL is configured as DRAFT, change it to TLSRFCLEVEL RFC4217. If it defaulted to DRAFT, add a TLSRFCLEVEL RFC4217 statement to the server's FTP.DATA input to change this behavior.

Specification of the TLSRFCLEVEL does not affect the initial SSL handshake or encryption of traffic; it changes the behavior when a session (or at least, SSL) ends. Specifically, configuring TLSRFCLEVEL RFC4217 will cause an SSL Close alert packet to be sent before actually closing the TCP connection (sending the FIN). Apparently the GnuTLS code used by FileZilla is strictly enforcing receipt of the alert, and errors out when a FIN arrives without the alert. So adding that configuration statement should resolve the problem with FileZilla not getting the LIST output.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
11 September 2015

UID

dwa1213452

Page Feedback