SSL/TLS protocol

When executing in FIPS mode, applications are allowed to use the TLS V1.0, TLS V1.1, and TLS V1.2 protocols. SSL V2 and SSL V3 are not supported. The specification of SSL V2 and SSL V3 during setup of the SSL/TLS application is ignored. When executing in non-FIPS mode, the default 2-character specifications string reflects the default order of suites supported:

050435363738392F303132330A1613100D0915120F0C0306020100

When executing in non-FIPS mode, if GSK_V3_CIPHERS is set to GSK_V3_CIPHERS_CHAR4, and a cipher specification is not set in GSK_V3_CIPHER_SPECS_EXPANDED, then the default cipher specification is set as follows:

0005000400350036003700380039002F0030003100320033000A0016
00130010000D000900150012000F000C00030006000200010000

The algorithm restrictions (see Table 1) result in the following default cipher specifications string in FIPS mode:

35363738392F303132330A1613100D

If using 4-character cipher specifications, the default cipher specifications string in FIPS mode becomes:

00350036003700380039002F0030003100320033000A001600130010000D

Only the following cipher suites are compatible with the restrictions in Table 1 and are therefore supported while executing in FIPS mode:

When using 2-character cipher suites:

0A 0D 10 13 16 2F 30 31 32 33 35 36 37 38 39

When using 4-character cipher suites:

000A 000D 0010 0013 0016 002F 0030 0031 0032 0033 0035 0036 0037 0038
0039 C003 C004 C005 C008 C009 C00A C00D C00E C00F C012 C013 C014

If non-FIPS mode ciphers are specified, they are ignored during the TLS handshake processing.

For more information about ciphers and their 2character or 4-character values, see Cipher suite definitions.