Start of change

SSL Cipher Specification Options

The SSL cipher specification options application definition field determines which SSL cipher suites are supported by the application.

The default value is *PGM which means the program that uses this "application ID" set the supported cipher suites attribute to the appropriate value. The program might set the value explicitly through an API call or implicitly by allowing the system default to be used.

If *PGM results in the incorrect value, this field can define the SSL cipher suites that are supported by this application. Cipher suites that are disabled by the QSSLCSL system value are ignored when at least one cipher suite is enabled.

The server application controls the cipher suites that are supported by a prioritized list. A combination of security policy, performance, and interoperability considerations is used by the administrator to determine the appropriate configuration. Use caution when you consider changes to the list. The flexibility of the user-defined list allows for a weaker security configuration than might be possible with *PGM. Security can be weakened in several ways:
  • Selecting a higher priority for a relatively weak encryption algorithm
  • Disabling a relatively strong encryption algorithm
  • Enabling a relatively weak encryption algorithm
A server is only as secure as the weakest cipher suite it allows regardless of its position in the ordered list.
Parent topic: DCM Application Definitions
Related information:
SSL system value: QSSLCSL
End of change