As of: Kermit 95 2.1.3, C-Kermit 8.0.211
This File Last Updated: Tue Apr 27 14:12:45 2004

[ Kermit FTP Clients ] [ Kermit FTP FAQ ] [ Scripting Tutorial ]

First Health Services Corporation is provider for many state Medicare programs, including Alaska, Arkansas, Florida, Georgia, Kentucky, Maryland, Michigan, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, Tennessee, Vermont, and Virginia. First Health requires FTP connections to be secured by SSL (TLS). Connections are to host on TCP port 21000 and should be in passive mode. The page describes how to set up connections to First Health from the Kermit FTP client: Kermit 95 for Windows or OS/2, or C-Kermit for Unix (Linux, Solaris, Mac OS X, HP-UX, AIX, Tru64, SCO, etc). CAUTIONS:

  1. As of 25 October 2003:   First Health uses Ipswitch's WS-FTPD FTP server with the example X.509 certificate. This results in warnings if the certificate is validated because there is no proper hostname or IP address in the certificate to validate; thus the "set auth tls verify no" command is required until and unless First Health installs a valid X.509 certificate.

  2. As of 26 April 2004, the First Health Services FTP server no longer utilizes the IPSwitch certificate. Instead it now uses a certificate issued by Verisign, Inc. Unfortunately, the certificate installed on the FTP Server "" is issued to "". For this reason the certificate will fail verification. In addition, the "VeriSign International Server CA - Class 3" intermediate certificate as well as the "Class 3 Public Primary Certification Authority" root certificates provided by the FTP Server to authenticate the "" certificate expired on 7 January 2004. At the current time, it is still not possible for users of First Health Services to securely use their FTP Service. It is strongly advised that FHSC clients frequently change their password and perform additional data validation to ensure that man-in-the-middle attacks against them may be detected in ways other than the use of SSL/TLS.

  3. As of 27 April 2004 FHSC has updated the certificate assigned to "" to match the hostname. The problem with the use of expired intermediate certificates remains.

Use the following commands to access the First Health site. In addition, if your FTP client is behind a firewall, you will also need to configure your firewall to allow outbound sessions to be established on TCP ports 21001-21100 for the dynamic FTP data channel.

set auth tls verbose off    ; Or "on" for debugging
set auth tls debug off      ; ditto
set ftp debug off           ; ditto
set ftp verbose on          ; Or "off" for silent(er) running

set ftp dates on            ; Setting file dates works
set ftp filenames literal   ; Don't convert filenames
set auth tls verify no      ; Because of faulty host certificate

; NOTE: the "set auth tls verify no" command effectively disables secure
; authentication of the host, but is required due to expired certificates
; in the host certificate chain.  Use "set auth tls verify peer-cert" to
; check certs per cautions above and then if any certs are invalid you must
; manually grant permission to proceed.  If they are all OK, then you can
; replace "no" in the command above with "peer-certs".

set ftp autologin on
set ftp passive on
set ftp autoauthentication on
set ftp autoencryption on
set ftp credential-forwarding off
set ftp authtype tls
set ftp server-character-set ascii
set ftp character-set-translation off
ftp open 21000 /user:username
if success {
    set ftp command-protection-level private
    set ftp data-protection-level private

You can use the same commands in C-Kermit and Kermit 95. In Kermit 95, you can also create the connection by making a Dialer entry and filling in its General, FTP, and TLS pages with the corresponding information:

Also see: Accessing IBM Information Exchange with the Kermit FTP Client

[ Top ]

First Health FTP Site / Kermit Project / Columbia University /