tibemsSSLParams_System_SetCiphers
Function
Purpose
Set the cipher suites for IBM System SSL connections.
C Declaration
tibems_status tibemsSSLParams_System_SetCiphers( tibemsSSLParams SSLParams, const char* ciphers );
COBOL Call
CALL "tibemsSSLParams_System_SetCiphers" USING BY VALUE SSLParams, BY REFERENCE ciphers, RETURNING tibems-status END-CALL.
SSLParams
has usage pointer.
Parameters
Parameter | Description |
---|---|
SSLParams
|
Set the value in this TLS parameter object. |
ciphers
|
Specify the cipher suites that the client can use. Ciphers can be specified as a series of two or four character codes, or a series of short name string values, depending on the platform.
The ciphers provided should conform to the cipher suite specifications for IBM System SSL:
Supported ciphers are listed below. |
Remarks
This parameter is connection-specific and can be specified for each connection. On z/OS, only the indicated CIPHERS are allowed in FIPS mode.
The following table lists ciphers which have been tested. However, many factors can affect the list of ciphers which work on a given site, so your list may be larger or smaller than this one.
2-Char Code | 4-Char Code | Short Name | Description | Use On | FIPS |
---|---|---|---|---|---|
05 | 0005 | TLS_RSA_WITH_RC4_128_SHA
|
128-bit RC4 encryption with SHA-1 message authentication and RSA key exchange. |
z/OS IBM i |
No |
0A | 000A | TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
168-bit Triple DES encryption with SHA-1 message authentication and RSA key exchange. |
z/OS IBM i |
Yes |
16 | 0016 | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
168-bit Triple DES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate. | z/OS | Yes |
2F | 002F | TLS_RSA_WITH_AES_128_CBC_SHA
|
128-bit AES encryption with SHA-1 message authentication and RSA key exchange. |
z/OS IBM i |
Yes |
33 | 0033 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|
128-bit AES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate. | z/OS | Yes |
35 | 0035 | TLS_RSA_WITH_AES_256_CBC_SHA
|
256-bit AES encryption with SHA-1 message authentication and RSA key exchange. |
z/OS IBM i |
Yes |
39 | 0039 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|
256-bit AES encryption with SHA-1 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate. | z/OS | Yes |
3C | 003C | TLS_RSA_WITH_AES_128_CBC_SHA256
|
128-bit AES encryption with SHA-256 message authentication and RSA key exchange. | z/OS | Yes |
3D | 003D | TLS_RSA_WITH_AES_256_CBC_SHA256
|
256-bit AES encryption with SHA-256 message authentication and RSA key exchange. | z/OS | Yes |
67 | 0067 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
128-bit AES encryption with SHA-256 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate. | z/OS | Yes |
6B | 006B | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
|
256-bit AES encryption with SHA-256 message authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate. | z/OS | Yes |
9C | 009C | TLS_RSA_WITH_AES_128_GCM_SHA256
|
128-bit AES in Galois Counter Mode encryption with 128-bit AEAD authentication and RSA key exchange z/OS. | z/OS | Yes |
9D | 009D | TLS_RSA_WITH_AES_256_GCM_SHA384
|
256-bit AES in Galois Counter Mode encryption with 128-bit AEAD authentication and RSA key exchange z/OS. | z/OS | Yes |
9E | 009E | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
|
128-bit AES in Galois Counter Mode encryption with 128-bit AEAD authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate. | z/OS | Yes |
9F | 009F | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
|
256-bit AES in Galois Counter Mode encryption with 128-bit AEAD authentication and ephemeral Diffie-Hellman key exchange signed with an RSA certificate. | z/OS | Yes |
C011 | TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
128-bit RC4 encryption with SHA-1 message authentication and ephemeral ECDH key exchange signed with an RSA certificate. | z/OS | No | |
C012 | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
168-bit Triple DES encryption with SHA-1 message authentication and ephemeral ECDH key exchange signed with an RSA certificate. | z/OS | Yes | |
C013 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
128-bit AES encryption with SHA-1 message authentication and ephemeral ECDH key exchange signed with an RSA certificate. | z/OS | Yes | |
C014 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
256-bit AES encryption with SHA-1 message authentication and ephemeral ECDH key exchange signed with an RSA certificate. | z/OS | Yes | |
C027 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
128-bit AES encryption with SHA-256 message authentication and ephemeral ECDH key exchange signed with an RSA certificate. | z/OS | Yes | |
C028 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
|
256-bit AES encryption with SHA-384 message authentication and ephemeral ECDH key exchange signed with an RSA certificate. | z/OS | Yes | |
C02F | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
128-bit AES in Galois Counter Mode encryption with 128-bit AEAD message authentication and ephemeral ECDH key exchange signed with an RSA certificate. | z/OS | Yes | |
C030 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
256-bit AES in Galois Counter Mode encryption with 128-bit AEAD message authentication and ephemeral ECDH key exchange signed with an RSA certificate. | z/OS | Yes |
On both z/OS and IBM i the ciphers may be specified as a string of two-character codes with no spaces or other delimiters. For example
"2F0535"
.
On z/OS the ciphers may also be specified as a string of four-character codes with no spaces or other delimiters. For example
"C012003D003C"
.
On IBM i the ciphers may alternately be specified as a string of comma-delimited string values containing no spaces. For example,
"TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
.