PK76351: SECURE FTP REJECTS REDUNDANT PROT P COMMANDS WITH 503 REPLY CODE

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• When the z/VM FTP server is configured to use dynamic SSL (TLS),
  it currently requires a PBSZ command to be issued prior to
  each and every issuance of a PROT command.  If a PROT command
  is received that has not had a PBSZ command issued since the
  last PROT command was received, the PROT command is rejected
  with '503 Bad sequence of commands'.  Referring to RFC's
  2228 and 4217, it seems as though only one PBSZ command should
  be required prior to any number of PROT commands.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All z/VM FTP server users using Dynamic SSL  *
  *                 (TLS).                                       *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  ****************************************************************
  * RECOMMENDATION: APPLY PTF                                    *
  ****************************************************************
  When the z/VM FTP server is configured to use dynamic SSL (TLS)
  and the FTP server has successfully processed the first PROT P
  command issued on the FTP control connection, any redundant
  PROT P commands are rejected with '503 Bad sequence of
  commands'.  The FTP server incorrectly only allows a PROT P to
  be successfully processed if data connections are currently set
  to be clear.
  
  Also, the FTP server erroneously requires a PBSZ command to be
  issued prior to each and every PROT command.  According to RFC
  2228 (FTP Security Extensions) and RFC 4217 (Securing FTP with
  TLS) only one PBSZ command is required prior to any number of
  PROT commands.
  

Problem conclusion

• Procedure DoProt() in FTSCMD PASCAL has been changed to allow
  redundant PROT commands to be processed successfully without
  requiring the data connection to be set up to be clear and
  without requiring a PBSZ command for each and every PROT
  command.  Once a PBSZ command has been processed successfully,
  further PBSZ commands are no longer required.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UK44037 UK44038

Modules/Macros

•    FTSCMD   SRVRFTP
  

Fix information

• Fixed component name

  TCP/IP V2 FOR V

• Fixed component ID

  5735FAL00

Applicable component levels

• R530 PSY UK44037

     UP09/02/13 P 0902

• R540 PSY UK44038

     UP09/02/13 P 0901

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.