Question & Answer
Question
We have FTPS configured on port 21 (security ALLOWED) and on port 990 (Security REQUIRED/Implicit). Filezilla connects successfully to the z/OS FTP server by using TLS to secure the control connection. But Filezilla cannot list the contents of a directory by using a TLS protected data connection.
The screen shot shows these Filezilla client messages:
Response: 125 List started OK
Error: GnuTLS error -110 in gnu_tls_record_recv: The TLS
Connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Error: Could not read from transfer socket: ECONNABORTED -
Connection aborted
Response: 250 List completed successfully.
Error: Failed to retrieve directory listing
We verified that there is no firewall between the client and the mainframe. We also verified that the customer can connect to port 21 in the clear but receives an error on the same client if they try to use SSL/TLS (active FTP).
Answer
In this situation it was found that the FTP server was configured (defaulted) to the draft level of the FTP/TLS RFCs. One effect of this is that the session is simply closed instead of first sending an SSL Close Alert message first.
If your TLSRFCLEVEL is configured as DRAFT, change it to TLSRFCLEVEL RFC4217. If it defaulted to DRAFT, add a TLSRFCLEVEL RFC4217 statement to the server's FTP.DATA input to change this behavior.
Specification of the TLSRFCLEVEL does not affect the initial SSL handshake or encryption of traffic; it changes the behavior when a session (or at least, SSL) ends. Specifically, configuring TLSRFCLEVEL RFC4217 will cause an SSL Close alert packet to be sent before actually closing the TCP connection (sending the FIN). Apparently the GnuTLS code used by FileZilla is strictly enforcing receipt of the alert, and errors out when a FIN arrives without the alert. So adding that configuration statement should resolve the problem with FileZilla not getting the LIST output.
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
11 September 2015
UID
dwa1213452