Failed to Connect from z/OS v2.1 to Filezilla Server

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
sam_ok
503 Bad sequence of commands
Posts: 18
Joined: 2011-03-25 10:14
First name: Sam
Last name: Chan

Failed to Connect from z/OS v2.1 to Filezilla Server

#1 Post by sam_ok » 2020-02-03 09:34

I have already upgraded the Filezilla server to the latest version, i.e. 0.9.60.2. I have already configured z/OS host using AT-TLS. I tried to connect from host to Filezilla server but failed with the following messages:

FTP -d -r TLS 192.168.xxx.xxx
GU5279 dspyFixLevel: Fix Level: NONEFND Data: EZBOECPR
GU5279 dspyFixLevel: Fix Level: " Data: EZAAE061 20120730230600010100
GU5279 dspyFixLevel: Fix Level: HIP6210 Data: EZAFTPMG EZAFTPCF EZAFTPCV EZAFTPC1
GU5279 dspyFixLevel: Fix Level: " Data: EZAFTPDA EZAFTPGA EZAFTPG1 EZAFTPG2
GU5279 dspyFixLevel: Fix Level: " Data: EZAFTPIO EZAFTPMA EZAFTPMB EZAFTPMC
GU5279 dspyFixLevel: Fix Level: " Data: EZAFTPMU EZAFTPMW EZAFTPMZ EZBCRSTK
GU5279 dspyFixLevel: Fix Level: " Data: EZBMSGMC EZBMSGMI EZBMSGPL EZBPAGLU
GU5279 dspyFixLevel: Fix Level: " Data: EZBPAINX EZBWTOCR EZBWTODM EZAFTPCA
GU5279 dspyFixLevel: Fix Level: " Data: EZAFTPCB EZAFTPCC EZAFTPCD EZAFTPCK
GU5279 dspyFixLevel: Fix Level: " Data: EZAFTPCL EZAFTPCP EZAFTPCR EZAFTPCT
GU5279 dspyFixLevel: Fix Level: " Data: EZAFTPCU EZAFTPCX EZAFTPED EZAFTPET
GU5279 dspyFixLevel: Fix Level: " Data: EZAFTPFC EZAFTPGV EZAFTPMF EZAFTPMK
GU5279 dspyFixLevel: Fix Level: " Data: EZAFTPMQ EZAFTPMV EZAFTPMY EZAFTPNC
GU5279 dspyFixLevel: Fix Level: " Data: EZAFTPNX EZAFTPNY EZAFTPPC EZBMSTCC
GU5279 dspyFixLevel: Fix Level: UI13000 Data: EZAFTPMD
GU5279 dspyFixLevel: Fix Level: UK94777 Data: EZAITUTI
GU5279 dspyFixLevel: Fix Level: UK96154 Data: EZAFTPF4
GU5279 dspyFixLevel: Fix Level: UK96700 Data: EZAFTPFU
GU5279 dspyFixLevel: Fix Level: UK97738 Data: EZAFTPCY EZAFTPCZ EZAFTPEA EZAFTPEJ
GU5279 dspyFixLevel: Fix Level: " Data: EZAFTPEP EZAFTPER EZAFTPGU EZAFTPMR
GU5279 dspyFixLevel: Fix Level: " Data: EZAFTPSC
GU5279 dspyFixLevel: Fix Level: UK98646 Data: EZAFTPCG EZAFTPTI EZAFTPTO
GU5279 dspyFixLevel: Fix Level: 66/ 66 Data: OBJECTS PROCESSED. AV-BUFR: 0003823
EP1185 read_ftpdata: entered
EP0508 init_config_defaults: entered
EZY2640I Using dd:SYSFTPD=TCPIP.FTP.DATA.BATCH for local site configuration parameters.
EP0733 processStatement: entered
ED1523 filetype: entered
EP0733 processStatement: entered
ET0646 ftpUmask: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
EA0876 blocksize: entered
EP0733 processStatement: entered
ED0807 directory: entered
EP0733 processStatement: entered
EJ0940 lrecl: entered
EP0733 processStatement: entered
EJ1668 pdstype: entered
EP0733 processStatement: entered
EJ1974 primary: entered
EP0733 processStatement: entered
ER0199 recfm: entered
EP0733 processStatement: entered
ER0545 retpd: entered
EP0733 processStatement: entered
ER0909 secondary: entered
EP0733 processStatement: entered
ER2283 spacetype: entered
EP0733 processStatement: entered
ET0456 ucount: entered
EP0733 processStatement: entered
ET0989 vcount: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
EA0942 bufno: entered
EP0733 processStatement: entered
EA1452 conddisp: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
EJ1212 migratevol: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
ED1286 extensions: entered
EZYFT47I dd:SYSFTPD=TCPIP.FTP.DATA.BATCH file, line 371: Ignoring keyword "EXTENSIONS".
EP0733 processStatement: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
ED0357 db2: entered
EP0733 processStatement: entered
ED0417 db2plan: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
ER2356 sqlcol: entered
EP0733 processStatement: entered
ER1337 secure_mechanism: entered
EP0733 processStatement: entered
ER1129 secure_ftp: entered
EP0733 processStatement: entered
ER0973 secure_ctrlconn: entered
EP0733 processStatement: entered
ER1049 secure_dataconn: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
ET0229 tlsrfclevel: entered
EP0733 processStatement: entered
ET0117 tlsmechanism: entered
EP0733 processStatement: entered
EA0998 cconntime: entered
EP0733 processStatement: entered
ED0179 datacttime: entered
EP0733 processStatement: entered
ED0545 dconntime: entered
EP0733 processStatement: entered
ED1663 ftpkeepalive: entered
EP0733 processStatement: entered
ED1847 inacttime: entered
EP0733 processStatement: entered
EJ1366 myopentime: entered
EP0733 processStatement: entered
EJ2033 progress: entered
EP0733 processStatement: entered
EA1198 chkptint: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
EA1236 chkptprefix: entered
EP0733 processStatement: entered
EP0733 processStatement: entered
ED1267 epsv4: entered
CY2533 ftpSocks: entered
CY2426 findSocks: entered
CY1055 ftpStart: ftp.data processing and start parameter processing is complete.
GU1127 chkVerRel: system information for PRDA: z/OS version 2 release 1 (2828)
EZYFT25I Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the control connection.
EZYFT31I Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the data connection.
EP2553 set_dbcs_langs: __ipdbcs() returned 0 parms from LOADDBCSTABLES statement(s)
EZA1450I IBM FTP CS V2R1
EZYFT18I Using catalog '/usr/lib/nls/msg/C/ftpdmsg.cat' for FTP messages.
CU3913 defineUserExit: entered
CU3913 defineUserExit: entered
CY1416 ftpStart: socket() failed on AF_INET6 - EDC8114I Address family not supported. (errno2=0x112B0000)
CY1424 ftpStart: client operating in IPv4 only mode
CZ0324 ftpOpen: entered
CU3963 queryUserExit: entered
CU3963 queryUserExit: entered
GU5304 initADcontainer: entered
GU5304 initADcontainer: entered
SC0494 initConnection: entered
SC0939 initIPv4Connection: entered
CY3194 access_via_socks_server: entered
EZA1554I Connecting to: 192.168.xxx.xxx port: 21.
220-***************************************
220-Unauthorized access prohibited.
220-
220-MK Sessions may be monitored.
220 ****************************************
GU5349 ftpSetApplData: entered
FC2723 ftpAuthAttls: No AT-TLS policy matched connection
EZA2897I Authentication negotiation failed
CZ0740 SETCEC code = 17
EZA2898I Unable to successfully negotiate required authentication
CZ1434 ftpClose: entered
EZA1701I >>> QUIT
221 Goodbye
SC3509 endSession: entered (sn=19D09B08)
SC2675 dataClose: entered
EZA1460I Command:

What's wrong with it?

User avatar
botg
Site Admin
Posts: 32975
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Failed to Connect from z/OS v2.1 to Filezilla Server

#2 Post by botg » 2020-02-03 10:28

FC2723 ftpAuthAttls: No AT-TLS policy matched connection
EZA2897I Authentication negotiation failed
CZ0740 SETCEC code = 17
EZA2898I Unable to successfully negotiate required authentication
That appears to be the problem. The client does not even send an AUTH command.

sam_ok
503 Bad sequence of commands
Posts: 18
Joined: 2011-03-25 10:14
First name: Sam
Last name: Chan

Re: Failed to Connect from z/OS v2.1 to Filezilla Server

#3 Post by sam_ok » 2020-02-04 02:21

After updating host config, I tried again. I could successfully connect with Filezilla server in secured channel. But when I typed 'dir', it came out with the following error messages:

331 Password required for xxxxxx

EZA1789I PASSWORD:

EZA1701I >>> PASS
230 Logged on
GU5349 ftpSetApplData: entered
CU2943 write_smf_record: entered with type -2.
CU1916 write_smfTable_record_119: entered with table index 1.
CU1720 subtype_103: entered
CU1778 build_security_section: entered
GU5349 ftpSetApplData: entered
EZA1460I Command:
dir
PC0365 parseCmd: subcommand: dir
SC1360 initDsConnection: entered
EZA1701I >>> EPSV
229 Entering Extended Passive Mode (|||57329|)
EZA1701I >>> LIST
SC2019 connDsConnection: entered
SC2113 connDsConnectionIPv4: entered
GU5349 ftpSetApplData: entered
150 Opening data channel for directory listing of "/"
FU1364 protDataConnAttls: ioctl() failed on SIOCTTLSCTL - EDC8121I Connection reset. (errno2=0x77A9733D)
FU1904 getNegotiatedTLSvalues: ioctl() failed on SIOCTTLSCTL - EDC8124I Socket
not connected. (errno2=0x77B77221)
GU5349 ftpSetApplData: entered
CA1582 SETCEC code = 17
EZA2870I TLS security mechanism negotiation failed - data connection closed
SC2675 dataClose: entered
450 TLS session of data connection has not resumed or the session does not match the control connection
EZA1460I Command:

sam_ok
503 Bad sequence of commands
Posts: 18
Joined: 2011-03-25 10:14
First name: Sam
Last name: Chan

Re: Failed to Connect from z/OS v2.1 to Filezilla Server

#4 Post by sam_ok » 2020-02-04 03:43

There is something wrong when opening the data channel.

User avatar
botg
Site Admin
Posts: 32975
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Failed to Connect from z/OS v2.1 to Filezilla Server

#5 Post by botg » 2020-02-04 07:26

Your client needs to resume the TLS session of the control connection for the data connection. This is a security feature necessary to prevent data connection stealing attacks.

sam_ok
503 Bad sequence of commands
Posts: 18
Joined: 2011-03-25 10:14
First name: Sam
Last name: Chan

Re: Failed to Connect from z/OS v2.1 to Filezilla Server

#6 Post by sam_ok » 2020-02-04 09:35

I am afraid to tell but z/OS ftp client support for resuming SSL sessions has been added with z/OS 2.2. We are using z/OS 2.1.

z/OS 2.1 only supports resume of SSL sessions for z/OS ftp server only. Could Filezilla ftp server be reconfigured to set resume of SSL sessions to be OPTIONAL?

User avatar
boco
Contributor
Posts: 25154
Joined: 2006-05-01 03:28
Location: Germany

Re: Failed to Connect from z/OS v2.1 to Filezilla Server

#7 Post by boco » 2020-02-04 11:23

Image

Sure, just uncheck the marked setting's checkbox. Be aware of the resulting consequences of disabling a security feature.

I'm pretty sure the new rewritten FileZilla Server will NOT allow disabling that feature, anymore.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 32975
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Failed to Connect from z/OS v2.1 to Filezilla Server

#8 Post by botg » 2020-02-04 14:39

Why not simply update to a more recent operating system version?

sam_ok
503 Bad sequence of commands
Posts: 18
Joined: 2011-03-25 10:14
First name: Sam
Last name: Chan

Re: Failed to Connect from z/OS v2.1 to Filezilla Server

#9 Post by sam_ok » 2020-02-05 07:42

It requires at least 1-year work which our whole company cannot afford right now.

sam_ok
503 Bad sequence of commands
Posts: 18
Joined: 2011-03-25 10:14
First name: Sam
Last name: Chan

Re: Failed to Connect from z/OS v2.1 to Filezilla Server

#10 Post by sam_ok » 2020-02-12 03:43

Hi Boco,

Do you have a timeline on FileZilla server upgrade? May you consider retaining the option of TLS session resume feature in future version and not make it a mandatory feature because not many companies are ready to upgrade their own OS to facilitate this change?

sam_ok
503 Bad sequence of commands
Posts: 18
Joined: 2011-03-25 10:14
First name: Sam
Last name: Chan

Re: Failed to Connect from z/OS v2.1 to Filezilla Server

#11 Post by sam_ok » 2020-02-12 06:17

Maybe I targeted the wrong audience.

Hi FileZilla Creators,

Do you have a timeline on FileZilla server upgrade? The latest version was released on 8 Feb 2017. As not many companies are ready to upgrade their own OS to facilitate this change, may you consider retaining the option of 'TLS session resume' feature in future version and not make it mandatory?

User avatar
botg
Site Admin
Posts: 32975
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Failed to Connect from z/OS v2.1 to Filezilla Server

#12 Post by botg » 2020-02-12 08:18

When it's done.

Unfortunately due to the laziness of certain actors when it comes to upgrading their systems, at some point it becomes necessary to force them to upgrade.

Post Reply