PI18664: FTP USING ZOS FTP CLIENT TO ZOS ATTLS PROTECTED FTP SERVER FAILS WITH '534 TLS NEGOTIATION FAILED -- DATA CONNECTIONCL

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• An FTP using the zOS FTP client to an ATTLS protected zOS FTP
  server can fail with error 534 TLS negotiation failed -- data
  connection closed. This occurs only when the client issues CCC
  after successfully logging into the server.
  
  verification steps:
  problem only occurs with ATTLS not native SSL FTP protection.
  A corresponding FTP server trace with debug sec acc enabled
  will show the following error which caused the 534 message to
  be issued:
  compareCertAttls: Data connection certificate does not match
  control connection certificate
  endSecureConn: entered
  
  Additional Symptom(s) Search Keyword(s): FTP 534 ATTLS
  

Local fix

• code the following undocumented keyword in the FTP Server's FTP
  data file:
  tlscertcrosscheck = FALSE
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * All users of the IBM Communications Server                   *
  * for z/OS Version 2 Release 1                                 *
  * IP: FTP                                                      *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * When FTP ATTLS is used and TLSRFCLEVEL                       *
  * is set to RFC4217, after CCC command,                        *
  * data connection fails with 534 error                         *
  * TLS negotiation failed -- data                               *
  * connection closed.                                           *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * Apply PTF                                                    *
  ****************************************************************
  For ATTLS when data connection is established, FTP server needs
  to get control connection certificate and data connection
  certificate. After CCC command, control connection certificate
  will not be got any more, so data connection fails.
  

Problem conclusion

• FTP server has been corrected.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

  PI15989

• APAR is sysrouted TO one or more of the following:

  UI18377

Modules/Macros

• EZAFTPRX EZAFTPFU
  

Fix information

• Fixed component name

  TCP/IP V3 MVS

• Fixed component ID

  5655HAL00

Applicable component levels

• R210 PSY UI18377

     UP14/07/08 P F407

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.