CIPHERSUITE (FTP client and server) statement

Use the CIPHERSUITE statement to specify the name of a cipher algorithm that is used during the TLS handshake.

Server: Indicates the server's preference of cipher algorithms.
Client: Indicates the client's preference of cipher algorithms.

Syntax


>>-CIPHERSUITE--name-------------------------------------------><

Parameters

name

The name of the cipher algorithm. The following values are allowed name values:

SSL_NULL_MD5
SSL_NULL_SHA
SSL_RC4_MD5_EX
SSL_RC4_MD5
SSL_RC4_SHA
SSL_RC2_MD5_EX
SSL_DES_SHA
SSL_3DES_SHA
SSL_AES_128_SHA
SSL_AES_256_SHA

The name can be interpreted as follows:

SSL_<cipher>_<cipher hash>[_EX]

<cipher> specifies one of the following encryption algorithms:

AES_128: 128–bit AES; Advanced Encryption Standard is established by the National Institute of Standards and Technology (NIST).
AES_256: 256–bit AES; Advanced Encryption Standard is established by the National Institute of Standards and Technology (NIST).
RC2: Block cipher developed at RSA Data Security
RC4: Stream cipher developed at RSA Data Security
DES: Digital Encryption Standard (56 bits of security)
3DES: Digital Encryption Standard (168 bits of security)
NULL: No algorithm is used. NULL indicates that there is no key exchange.

<cipher hash> specifies one of the following authentication algorithms:

MD5: Algorithm that converts to fixed size (16 bytes)
SHA: Secure Hash Algorithm that converts to a 20-byte output

The suffix _EX indicates that the corresponding cipher suite is exportable.

Restrictions:

The following list shows the subject to export restrictions and might not be available outside of the United States:
- SSL_3DES_SHA
- SSL_RC4_SHA
- SSL_RC4_MD5
- SSL_AES_128_SHA
- SSL_AES_256_SHA
Only RSA key exchange is supported.

Examples

To indicate that you want to use the 3DES encryption and SHA authentication as your first choice, and that RC4 encryption and MD5 authentication are your second choice, code the following examples:

CIPHERSUITE SSL_3DES_SHA

CIPHERSUITE SSL_RC4_MD5

Authorization

Multiple CIPHERSUITE statements can be coded in the FTP.DATA file.
The order of CIPHERSUITE statements in the server's FTP.DATA file indicates the priority of the algorithms listed. Specify the highest priority algorithm first in the FTP.DATA file.
The client and server specify the list of encryption types that they support. The client and server negotiate which of the available ciphers is used for the data encryption by specifying the desired ciphers in order of preference. The actual cipher used is the best match between what the server supports and what the client requests. If the server does not support any of the ciphers that the client requests, the TLS handshake fails and the connection is closed. See the z/OS Cryptographic Services System SSL Programming for a list of ciphers that are included in the base product.
The CIPHERSUITE statements are used by the FTP server when the EXTENSIONS statement is coded with the AUTH_TLS value.
The CIPHERSUITE statements are used by the FTP client when the SECURE_MECHANISM TLS statement is coded or when the FTP client is started with either the -a TLS or the -r TLS start parameter.

CIPHERSUITE (FTP client and server) statement

Syntax

Parameters

Examples

Authorization

Related topics