Use
the CIPHERSUITE statement to specify the name of a cipher algorithm
that is used during the TLS handshake.
- Server
- Indicates the server's preference of cipher algorithms.
- Client
- Indicates the client's preference of cipher algorithms.
Syntax
>>-CIPHERSUITE--name-------------------------------------------><
Parameters
- name
-
The name of the cipher algorithm. The following values are
allowed name values:
- SSL_NULL_MD5
- SSL_NULL_SHA
- SSL_RC4_MD5_EX
- SSL_RC4_MD5
- SSL_RC4_SHA
- SSL_RC2_MD5_EX
- SSL_DES_SHA
- SSL_3DES_SHA
- SSL_AES_128_SHA
- SSL_AES_256_SHA
The
name can be interpreted as
follows:
SSL_<cipher>_<cipher hash>[_EX]
<
cipher>
specifies one of the following encryption algorithms:
- AES_128
- 128–bit AES; Advanced Encryption Standard is established
by the National Institute of Standards and Technology (NIST).
- AES_256
- 256–bit AES; Advanced Encryption Standard is established
by the National Institute of Standards and Technology (NIST).
- RC2
- Block cipher developed at RSA Data Security
- RC4
- Stream cipher developed at RSA Data Security
- DES
- Digital Encryption Standard (56 bits of security)
- 3DES
- Digital Encryption Standard (168 bits of security)
- NULL
- No algorithm is used. NULL indicates that there is no key exchange.
<
cipher hash>
specifies one of the following authentication algorithms:
- MD5
- Algorithm that converts to fixed size (16 bytes)
- SHA
- Secure Hash Algorithm that converts to a 20-byte output
The suffix _EX indicates that the corresponding
cipher suite is exportable.
Restrictions: - The following list shows the subject to export restrictions and
might not be available outside of the United States:
- SSL_3DES_SHA
- SSL_RC4_SHA
- SSL_RC4_MD5
- SSL_AES_128_SHA
- SSL_AES_256_SHA
- Only RSA key exchange is supported.
Examples
To indicate that you want to use
the 3DES encryption and SHA authentication as your first choice, and
that RC4 encryption and MD5 authentication are your second choice,
code the following examples:
CIPHERSUITE SSL_3DES_SHA
CIPHERSUITE SSL_RC4_MD5
Authorization
- Multiple CIPHERSUITE statements can be coded in the FTP.DATA file.
- The order of CIPHERSUITE statements in the server's FTP.DATA file
indicates the priority of the algorithms listed. Specify the highest
priority algorithm first in the FTP.DATA file.
- The client and server specify the list of encryption types that
they support. The client and server negotiate which of the available
ciphers is used for the data encryption by specifying the desired
ciphers in order of preference. The actual cipher used is the best
match between what the server supports and what the client requests.
If the server does not support any of the ciphers that the client
requests, the TLS handshake fails and the connection is closed. See
the z/OS Cryptographic Services System SSL Programming for a list of ciphers that are included in
the base product.
- The CIPHERSUITE statements are used by the FTP server when the
EXTENSIONS statement is coded with the AUTH_TLS value.
- The CIPHERSUITE statements are used by the FTP client when the
SECURE_MECHANISM TLS statement is coded or when the FTP client is
started with either the -a TLS or the -r TLS start parameter.