lftp 4.8.4 refuses to talk TLS1.2 with z/OS ftps host

Question

Appreciate any advice on below problem:

I have a problem to connect z/OS FTPS server when I choose TLS1.2 protocol:

leonidt@zdsdeveng03:/gsa/pokgsa/home/l/e/leonidt/20190114_Switch2lftp> ~/local/bin/lftp -u us15030,******** ftp://bldbmsa.boulder.ibm.com
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-allow true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-force true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-protect-data true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-protect-list true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ssl:priority NORMAL:+VERS-TLS1.2
lftp us15030@bldbmsa.boulder.ibm.com:~> set ssl:ca-file "/etc/ssl/private/vsftpd.pem"
lftp us15030@bldbmsa.boulder.ibm.com:~> ls
**ls: Fatal error: gnutls_handshake: A TLS fatal alert has been received.**
lftp us15030@bldbmsa.boulder.ibm.com:~> quit

While it works fine with TLS 1.1

leonidt@zdsdeveng03:/gsa/pokgsa/home/l/e/leonidt/20190114_Switch2lftp> ~/local/bin/lftp -u us15030,******** ftp://bldbmsa.boulder.ibm.com
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-allow true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-force true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-protect-data true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-protect-list true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ssl:priority NORMAL:+VERS-TLS1.1
lftp us15030@bldbmsa.boulder.ibm.com:~> set ssl:ca-file "/etc/ssl/private/vsftpd.pem"
lftp us15030@bldbmsa.boulder.ibm.com:~> ls
Volume Unit    Referred Ext Used Recfm Lrecl BlkSz Dsorg Dsname
Migrated                                                BMSB.SPFTEMP0.CNTL
Migrated                                                BMSB.SPFTEMP1.CNTL
PRR3Q4 3390   2019/01/17  1    1  FB      80  8000  PO  CISF.JCL
PRR3P4 3390   2019/01/17  1    2  FB      80  8000  PO  CISF.PROC
PRR612 3390   2019/01/22  122500  VB    1000 10000  PS  CISF.TEST.CSV
PRR3S0 3390   2019/01/22  1    2  FB      80  8000  PO  CISF.UTIL
Migrated                                                CSSLIB

I am using Version 4.8.4 lftp from SuSe linux host:

uname -a
Linux zdsdeveng03 3.0.101-108.84-default #1 SMP Fri Nov 30 15:57:27 UTC 2018 (7a72692) s390x s390x s390x GNU/Linux

It does not look to be FTPS host side problem, because curl works with it fine using TLS 1.2:

curl --ftp-ssl --tlsv1.2 --cacert /etc/ssl/private/vsftpd.pem --use-ascii -v -T unzip1.jcl ftp://us15030:********@bldbmsa.boulder.ibm.com//tmp/                     
* Hostname was NOT found in DNS cache
*   Trying 9.17.211.10...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to bldbmsa.boulder.ibm.com (9.17.211.10) port 21 (#0)
< 220-FTPDA1 IBM FTP CS V2R2 at BLDBMSA.BOULDER.IBM.COM, 15:02:51 on 2019-01-23.
< 220 Connection will close if idle for more than 5 minutes.
> AUTH SSL
< 234 Security environment established - ready for negotiation
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/private/vsftpd.pem
  CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
*** SSL connection using TLSv1.2 / AES256-SHA256**
* Server certificate:
*      subject: C=US; ST=Boulder, CO; L=Boulder, CO; O=ibm.com; OU=IZUDFLT; CN=bldbmsa.boulder.ibm.com; UID=111618631; mail=marpas@br.ibm.com
*      start date: 2017-01-27 05:00:00 GMT
*      expire date: 2020-01-27 04:59:59 GMT
*      common name: bldbmsa.boulder.ibm.com (matched)
*      issuer: C=US; O=International Business Machines Corporation; CN=IBM INTERNAL INTERMEDIATE CA
*      SSL certificate verify ok.
> USER us15030
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0< 331 Send password please.
> PASS ********
< 230 US15030 is logged on.  Working directory is "US15030.".
> PBSZ 0
< 200 Protection buffer size accepted
> PROT P
< 200 Data connection protection set to private
> PWD
< 257 "'US15030.'" is working directory.
> SYST
* Entry path is ''US15030.''
< 215 MVS is the operating system of this server. FTP Server is running on z/OS.
> CWD /
* ftp_perform ends with SECONDARY: 0
< 250 HFS directory / is the current working directory
> CWD tmp
< 250 HFS directory /tmp is the current working directory
> EPSV
* Connect data stream passively
< 229 Entering Extended Passive Mode (|||35858|)
* Hostname was NOT found in DNS cache
*   Trying 9.17.211.10...
* Connecting to 9.17.211.10 (9.17.211.10) port 35858
* Connected to bldbmsa.boulder.ibm.com (9.17.211.10) port 21 (#0)
> TYPE A
< 200 Representation type is Ascii NonPrint
> STOR unzip1.jcl
< 125 Storing data set /tmp/unzip1.jcl
* Doing the SSL/TLS handshake on the data stream
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/private/vsftpd.pem
  CApath: /etc/ssl/certs/
* SSL re-using session ID
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
*** SSL connection using TLSv1.2 / AES256-SHA256**
* Server certificate:
*      subject: C=US; ST=Boulder, CO; L=Boulder, CO; O=ibm.com; OU=IZUDFLT; CN=bldbmsa.boulder.ibm.com; UID=111618631; mail=marpas@br.ibm.com
*      start date: 2017-01-27 05:00:00 GMT
*      expire date: 2020-01-27 04:59:59 GMT
*      common name: bldbmsa.boulder.ibm.com (matched)
*      issuer: C=US; O=International Business Machines Corporation; CN=IBM INTERNAL INTERMEDIATE CA
*      SSL certificate verify ok.
} [data not shown]
* We are completely uploaded and fine
* Remembering we are in dir "/tmp/"
* SSLv3, TLS alert, Client hello (1):
} [data not shown]
< 250 Transfer completed successfully.
101  1245    0     0  101  1264      0   3721 --:--:-- --:--:-- --:--:--  3739
* Connection #0 to host bldbmsa.boulder.ibm.com left intact

score 0 · Answer 1 · edited Jun 11 '20 at 14:22

Following advice form Alexander Lukyanov, I have compiled lftp with latest gnutls, and it works now fine with TLS 1.2 in my home folder:

leonidt> ~/local/bin/lftp -v 
LFTP | Version 4.8.4 | Copyright (c) 1996-2017 Alexander V. Lukyanov

LFTP is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with LFTP.  If not, see <http://www.gnu.org/licenses/>.

Send bug reports and questions to the mailing list <lftp@uniyar.ac.ru>.

**Libraries used: GnuTLS 3.6.6, Readline 5.2, zlib 1.2.7**


leonidt>~/local/bin/lftp -u us15030,******** ftp://bldbmsa.boulder.ibm.com
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-allow true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-force true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-protect-data true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ftp:ssl-protect-list true
lftp us15030@bldbmsa.boulder.ibm.com:~> set ssl:priority NORMAL:+VERS-TLS1.2
lftp us15030@bldbmsa.boulder.ibm.com:~> set ssl:ca-file "/etc/ssl/private/vsftpd.pem"
lftp us15030@bldbmsa.boulder.ibm.com:~> ls
Volume Unit Referred Ext Used Recfm Lrecl BlkSz Dsorg Dsname
Migrated BMSB.SPFTEMP0.CNTL
Migrated BMSB.SPFTEMP1.CNTL
PRR3Q4 3390 2019/01/17 1 1 FB 80 8000 PO CISF.JCL
PRR3P4 3390 2019/01/17 1 2 FB 80 8000 PO CISF.PROC
Migrated CISF.TEST.CSV

lftp 4.8.4 refuses to talk TLS1.2 with z/OS ftps host

1 Answers1