Problem

The PeSIT clients GoAnywhere and Connect:Express can communicate with SecureTransport in Plain mode (no encryption) or in TLS Legacy and Compatibility mode.

SecureTransport provides several separate listeners for the following PeSIT modes with their respective default ports:

• TCP Port 17617 - PeSIT over Plain Socket (Plain mode)

• TCP Port 17627 - PeSIT over Secure Socket (TLS mode)

• TCP Port 17637 - PeSIT over Secure Socket (TLS Legacy mode)

• TCP Port 17657 - PeSIT over Secure Socket (TLS Legacy and Compatibility mode)

• TCP Port 19617 - PeSIT over pTCP Plain Socket

• TCP Port 19627 - PeSIT over pTCP Secure Socket

An issue was discovered in ST affecting versions from 5.5-20250731 to 5.5-20260331 where the PeSIT over Secure Socket (TLS mode) listener always starts first even if it is disabled. The listener binds to its configured port, but in case the port field was left blank it uses a port from the other listeners. This can lead to a collision, and the listener for PeSIT over Secure Socket (TLS Legacy and Compatibility mode) would not be able to bind to the port, already used by the PeSIT over Secure Socket (TLS mode) listener. There would be no message that the TLS Legacy and Compatibility mode listener did not start.

The result is that a wrong service is running on the TLS Legacy and Compatibility mode port and PeSIT clients such as GoAnywhere and Connect:Express cannot connect to ST anymore after an upgrade to any of the above-mentioned ST versions.

Examples of problematic configurations:

1. Same TCP port number is configured for both TLS mode (disabled) and TLS Legacy and Compatibility mode.

2. The TCP port number for TLS mode (disabled) is left blank.

Resolution

Configure any available TCP port for PeSIT over Secure Socket (TLS mode) different than the TCP port for PeSIT over Secure Socket (TLS Legacy and Compatibility mode). Here is an example of a good configuration: