?

Dear René, dear Gregg,

of course I will share my setup with the community asap. Just give me some time to prep things. For using stunnel4, one needs X.509 certificates which can be easily produced with "easy RSA". But more on this later.?

@Gregg: A ssh tunnel is a viable option, however, it needs a user identy / account on the server side. If you don't want users of the mainframe system to be users of the hosting linux / unix / whatever system, I reckon that stunnel is the easier way.?
For sure we know that hercules and the hosted mainframe OSes? like VM/370 and MVS can't deal with TLS. This is where the server nature of stunnel4 comes to help. The inbound TLS connection is proxied unecrypted to the 3270 (or other comms) ports.? Usually, x3270 can deal with SSL connections, but on the Macintosh, the x3270 seems to be utterly broken or I haven't figured out how it works on a Mac with the system keystore etc. I use stunnel4 on the Mac as a client, that is, my x3270 connects to let's say localhost:53270 plain text, stunnel connects to vmd33672.contaboserver.net:53270 with 2-way TLS and the server stunnel proxies the data to hercules, in this case VM/370 with hercules listening on 3271 (3270 taken by MVS).?
I'll prep something with instructions on easy RSA how to create client, server and ca and intermediate certs and how to setup the stunnel for both client and server. This can be replicated to other TCP/IP comms as well (thinking of HNET for example).?

kind regards
Michael