Table of Contents

Search

  1. Preface
  2. Introduction to PowerExchange
  3. DBMOVER Configuration File
  4. Netport Jobs
  5. PowerExchange Message Logs and Destination Overrides
  6. SMF Statistics Logging and Reporting
  7. PowerExchange Security
  8. Secure Sockets Layer Support
  9. PowerExchange Alternative Network Security
  10. PowerExchange Nonrelational SQL
  11. PowerExchange Globalization
  12. Using the PowerExchange ODBC Drivers
  13. PowerExchange Datatypes and Conversion Matrix
  14. Appendix A: DTL__CAPXTIMESTAMP Time Stamps
  15. Appendix B: PowerExchange Glossary

SSL_CIPHER_LIST Statement

SSL_CIPHER_LIST Statement

The SS_CIPHER_LIST statement restricts the available cipher suites that a Linux, UNIX, or Windows client offers to a server during an SSL handshake to the specified list.
Linux, UNIX, and Windows
SSL, SSL_ALLOW_SELFSIGNED, SSL_CONTEXT_METHOD, SSL_REQ_CLNT_CERT, and SSL_REQ_SRVR_CERT
No
SSL_CIPHER_LIST=
cipher_list
For the
cipher_list
variable, specify one or more OpenSSL cipher suite names, separated by commas.
The following table is a partial list of OpenSSL cipher suite names and the corresponding AT-TLS cipher suite names and hexadecimal values:
OpenSSL Cipher Suite Name
AT-TLS Cipher Suite Name
Hexadecimal Value
DHE-RSA-AES256-SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
39
DHE-DSS-AES256-SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
38
AES256-SHA
TLS_RSA_WITH_AES_256_CBC_SHA
35
EDH-RSA-DES-CBC3-SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
16
EDH-DSS-DES-CBC3-SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
13
DES-CBC3-SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
0A
DHE-RSA-AES128-SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
33
DHE-DSS-AES128-SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
32
AES128-SHA
TLS_RSA_WITH_AES_128_CBC_SHA
2F
For a complete list of the cipher suites that are available in the OpenSSL cryptographic library on your Linux, UNIX, or Windows client machine, run the REPORT_CIPHERS command of the PWXUSSL utility.
You might include the SSL_CIPHER_LIST statement in the DBMOVER file on the client machine for any of the following reasons:
  • To ensure that a Linux, UNIX, or Windows PowerExchange server never uses a weak cipher from a client machine.
  • To force the use of a preferred cipher from a Linux, UNIX, or Windows client machine rather than having to change a TTLSCipherParms configuration statement on the z/OS server machine.
  • To avoid the use a the Diffie-Hellman cipher on z/OS because of the slow connection time.
  • To force the use of a weaker cipher, or a cipher with hardware assitance on z/OS, for faster performance.