tibemsSSLParams_System_SetCiphers

Function

Purpose

Set the cipher suites for IBM System SSL connections.

C Declaration

tibems_status tibemsSSLParams_System_SetCiphers(
    tibemsSSLParams SSLParams,
    const char* ciphers );

COBOL Call

CALL "tibemsSSLParams_System_SetCiphers"
     USING BY VALUE SSLParams,
           BY REFERENCE ciphers,
           RETURNING tibems-status
END-CALL.
Note: SSLParams has usage pointer.

Parameters

Parameter Description
SSLParams Set the value in this SSL parameter object.
ciphers Specify the cipher suites that the client can use. Ciphers can be specified as a series of two or four character codes, or a series of short name string values, depending on the platform.

The ciphers provided should conform to the cipher suite specifications for IBM System SSL:

  • For a detailed description of these ciphers on z/OS, see the IBM Cryptographic Services, System Secure Sockets Layer Programing bookshelf.
  • For a description of the ciphers on IBM i, refer to the IBM i Information Center, Communications, Socket Programming, Advanced socket concepts, Secure Sockets, Global Security Kit (GSKit) APIs.
  • Note that on IBM i the system values QSSLCSL, QSSLCSLCTL, and QSSLPCL control the ciphers and protocols that are supported.

Supported ciphers are listed below.

Remarks

This parameter is connection-specific and can be specified for each connection. On z/OS, only the indicated CIPHERS are allowed in FIPS mode.

The following table lists ciphers which have been tested. However, many factors can affect the list of ciphers which work on a given site, so your list may be larger or smaller than this one.

2-Char Code 4-Char Code Short Name Description Use On FIPS
05 0005 TLS_RSA_WITH_RC4_128_SHA 128-bit RC4 encryption with SHA-1 message authentication and RSA key exchange. z/OS
IBM i No
0A 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA 168-bit Triple DES encryption with SHA-1 message authentication and RSA key exchange. z/OS
IBM i Yes
16 0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 168-bit Triple DES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate. z/OS Yes
2F 002F TLS_RSA_WITH_AES_128_CBC_SHA 128-bit AES encryption with SHA-1 message authentication and RSA key exchange. z/OS
IBM i Yes
33 0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128-bit AES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate. z/OS Yes
35 0035 TLS_RSA_WITH_AES_256_CBC_SHA 256-bit AES encryption with SHA-1 message authentication and RSA key exchange. z/OS
IBM i Yes
39 0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256-bit AES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate. z/OS Yes
3C 003C TLS_RSA_WITH_AES_128_CBC_SHA256 128-bit AES encryption with SHA-256 message authentication and RSA key exchange. z/OS Yes
3D 003D TLS_RSA_WITH_AES_256_CBC_SHA256 256-bit AES encryption with SHA-256 message authentication and RSA key exchange. z/OS Yes
67 0067 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 128-bit AES encryption with SHA-256 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate. z/OS Yes
6B 006B TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 256-bit AES encryption with SHA-256 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate. z/OS Yes
9C 009C TLS_RSA_WITH_AES_128_GCM_SHA256 128-bit AES in Galois Counter Mode encryption with 128-bit AEAD authentication and RSA key exchange z/OS. z/OS Yes
9D 009D TLS_RSA_WITH_AES_256_GCM_SHA384 256-bit AES in Galois Counter Mode encryption with 128-bit AEAD authentication and RSA key exchange z/OS. z/OS Yes
9E 009E TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 128-bit AES in Galois Counter Mode encryption with 128-bit AEAD authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate. z/OS Yes
9F 009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 256-bit AES in Galois Counter Mode encryption with 128-bit AEAD authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate. z/OS Yes
  C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA 128-bit RC4 encryption with SHA-1 message authentication and ephemeral ECDH key exchange signed with an RSA certificate. z/OS No
  C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 168-bit Triple DES encryption with SHA-1 message authentication and ephemeral ECDH key exchange signed with an RSA certificate. z/OS Yes
  C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128-bit AES encryption with SHA-1 message authentication and ephemeral ECDH key exchange signed with an RSA certificate. z/OS Yes
  C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256-bit AES encryption with SHA-1 message authentication and ephemeral ECDH key exchange signed with an RSA certificate. z/OS Yes
  C027 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128-bit AES encryption with SHA-256 message authentication and ephemeral ECDH key exchange signed with an RSA certificate. z/OS Yes
  C028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256-bit AES encryption with SHA-384 message authentication and ephemeral ECDH key exchange signed with an RSA certificate. z/OS Yes
  C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128-bit AES in Galois Counter Mode encryption with 128-bit AEAD message authentication and ephemeral ECDH key exchange signed with an RSA certificate. z/OS Yes
  C030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256-bit AES in Galois Counter Mode encryption with 128-bit AEAD message authentication and ephemeral ECDH key exchange signed with an RSA certificate. z/OS Yes

On both z/OS and IBM i the ciphers may be specified as a string of two-character codes with no spaces or other delimiters. For example "2F0535".

On z/OS the ciphers may also be specified as a string of four-character codes with no spaces or other delimiters. For example "C012003D003C".

On IBM i the ciphers may alternately be specified as a string of comma-delimited string values containing no spaces. For example, "TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_CBC_SHA".