SSL Cipher Suites

System SSL has the infrastructure to support multiple cipher suites.

The cipher suites are specified in different ways for each programming interface. The following cipher suites that are shown with the system value format, can be supported by System SSL:
  • Start of change*RSA_AES_128_CBC_SHA256End of change
  • Start of change*RSA_AES_256_CBC_SHA256End of change
  • Start of change*RSA_NULL_SHA256End of change
  • *RSA_NULL_MD5
  • *RSA_NULL_SHA
  • *RSA_EXPORT_RC4_40_MD5
  • *RSA_RC4_128_MD5
  • *RSA_RC4_128_SHA
  • *RSA_EXPORT_RC2_CBC_40_MD5
  • *RSA_DES_CBC_SHA
  • *RSA_3DES_EDE_CBC_SHA
  • *RSA_AES_128_CBC_SHA
  • *RSA_AES_256_CBC_SHA
  • *RSA_RC2_CBC_128_MD5
  • *RSA_DES_CBC_MD5
  • *RSA_3DES_EDE_CBC_MD5

Shipped SSL supported cipher specification list

A cipher specification list contains a list of cipher suites. System SSL ships with 10 cipher suites supported. Administrators can control the ciphers that are supported by System SSL with system values QSSLCSL and QSSLCSLCTL. A cipher suite cannot be supported if the SSL protocol it requires is not also supported.

The following cipher suites are shipped as supported by System SSL:
  • *RSA_AES_256_CBC_SHA
  • *RSA_AES_128_CBC_SHA
  • *RSA_RC4_128_SHA
  • *RSA_RC4_128_MD5
  • *RSA_3DES_EDE_CBC_SHA
  • *RSA_DES_CBC_SHA
  • *RSA_EXPORT_RC4_40_MD5
  • *RSA_EXPORT_RC2_CBC_40_MD5
  • *RSA_NULL_SHA
  • *RSA_NULL_MD5
The supported cipher specification list is affected by the SSL protocols that are supported by the system as well changes made to the system value QSSLCSL. You can display the value of QSSLCSL to see the cipher specification list on your system.

Shipped SSL default cipher specification list

The following displays the order of the shipped default cipher specification list:Start of change
  • *RSA_AES_128_CBC_SHA
  • *RSA_AES_256_CBC_SHA
End of change The shipped default cipher specification list can be reduced and reordered by changing the QSSLCSL system value. Start of changeThe shipped default cipher specification list values, but not order, can also be changed by using System Service Tools (SST) Advanced Analysis Command SSLCONFIG.End of change
Start of changeTwo more cipher suites can be added to the list if TLSv1.2 is enabled on the system and enabled by the applications:
  • *RSA_AES_128_CBC_SHA256
  • *RSA_AES_256_CBC_SHA256
End of change

The following table shows the cipher specifications that are supported for each protocol version. The supported cipher specifications for each protocol are indicated by the "X" in the appropriate column.

Table 1. Supported Cipher Specifications for TLS and SSL Protocols
QSSLCSL System Value Representation TLSv1.2 TLSv1.1 TLSv1.0 SSLv3 SSLv2
*RSA_AES_256_CBC_SHA256 X        
*RSA_AES_128_CBC_SHA256 X        
*RSA_AES_256_CBC_SHA X X X    
*RSA_AES_128_CBC_SHA X X X    
*RSA_3DES_EDE_CBC_SHA X X X X  
*RSA_RC4_128_SHA X X X X  
*RSA_RC4_128_MD5 X X X X X
*RSA_DES_CBC_SHA   X X X  
*RSA_EXPORT_RC4_40_MD5     X X X
*RSA_EXPORT_RC2_CBC_40_MD5     X X X
*RSA_NULL_SHA256 X        
*RSA_NULL_SHA X X X X  
*RSA_NULL_MD5 X X X X  
*RSA_RC2_CBC_128_MD5         X
*RSA_3DES_EDE_CBC_MD5         X
*RSA_DES_CBC_MD5         X
Parent topic: System SSL Properties
Related concepts:
The SSLCONFIG macro
Related information:
SSL system value: QSSLCSLCTL
SSL system value: QSSLCSL