Security system values: Secure Sockets Layer cipher specification list

The Secure Sockets Layer cipher specification list system value is also known as QSSLCSL. You can use this system value to define the System SSL/TLS cipher specification list.

Quick reference
Location From IBM® Navigator for i, select Configuration and Service > System Values. Click on Security and click Properties, then select the System TLS tab.
Special authority Input/output (I/O) system configuration (*IOSYSCFG), all object (*ALLOBJ), and security administrator (*SECADM).
Default value
Start of change*AES_128_GCM_SHA256
*AES_256_GCM_SHA384
*CHACHA20_POLY1305_SHA256
*ECDHE_ECDSA_AES_128_GCM_SHA256
*ECDHE_ECDSA_AES_256_GCM_SHA384
*ECDHE_RSA_AES_128_GCM_SHA256
*ECDHE_RSA_AES_256_GCM_SHA384
*ECDHE_ECDSA_CHACHA20_POLY1305_SHA256
*ECDHE_RSA_CHACHA20_POLY1305_SHA256
*RSA_AES_128_GCM_SHA256
*RSA_AES_256_GCM_SHA384
*ECDHE_ECDSA_AES_128_CBC_SHA256
*ECDHE_ECDSA_AES_256_CBC_SHA384
*ECDHE_RSA_AES_128_CBC_SHA256
*ECDHE_RSA_AES_256_CBC_SHA384
*RSA_AES_128_CBC_SHA256
*RSA_AES_128_CBC_SHA
*RSA_AES_256_CBC_SHA256
*RSA_AES_256_CBC_SHA
*ECDHE_ECDSA_3DES_EDE_CBC_SHA
*ECDHE_RSA_3DES_EDE_CBC_SHA
*RSA_3DES_EDE_CBC_SHA
End of change
Changes take effect Immediately for all subsequent System SSL/TLS sessions.
Lockable Yes.
Lockable system value
(See Lock function of security-related system values for details.)

What can I do with this system value?

If you specify the Use user-defined (*USRDFN) option for the Secure Sockets Layer cipher control (QSSLCSLCTL) system value, you can define the Secure Sockets Layer cipher specification list (QSSLCSL) system value. If the QSSLCSLCTL system value is system defined, the QSSLCSL system value is read-only.

The System TLS property page lists all the TLS protocol values supported by System SSL/TLS. System SSL/TLS uses the sequence of the values in the QSSLCSL system value to order the default cipher specification list. The default cipher specification list entries are system defined and can change with different releases. If a default cipher suite is removed from the QSSLCSL system value, the cipher suite is removed from the default list. The default cipher suite is added back to the default cipher specification list when it is added back into the QSSLCSL system value. The System TLS property page lists all the TLS protocol values supported by System SSL/TLS. System SSL/TLS uses the sequence of the values in the QSSLCSL system value to order the default cipher specification list. The default cipher specification list entries are system defined and can change with different releases. If a default cipher suite is removed from the QSSLCSL system value, the cipher suite is removed from the default list. The default cipher suite is added back to the default cipher specification list when it is added back into the QSSLCSL system value. The default cipher specification list values, but not order, can also be changed by using System Service Tools (SST) Advanced Analysis command TLSCONFIG. You cannot add other cipher suites to the default list beyond the set that the system defines as eligible for the release.

You cannot add a cipher suite to the QSSLCSL system value if the required TLS protocol value for the cipher suite is not set for the Secure Sockets Layer protocols (QSSLPCL) system value.

This system value can have the following values:

Start of change *AES_128_GCM_SHA256 End of change
Start of change Use the Advanced Encryption Standard (AES) cipher with Galois/Counter mode (GCM) and 128 bit keys. Use Secure Hash Algorithm 256 (SHA256) for generating the message authentication code (MAC). End of change
Start of change *AES_256_GCM_SHA384 End of change
Start of change Use the Advanced Encryption Standard (AES) cipher with Galois/Counter mode (GCM) and 256 bit keys. Use Secure Hash Algorithm 384 (SHA384) for generating the message authentication code (MAC). End of change
Start of change *CHACHA20_POLY1305_SHA256 End of change
Start of change Use the ChaCha stream cipher with 20 rounds, 96-bit nonce, and 256 bit keys with Poly1305 authenticator. Use Secure Hash Algorithm 256 (SHA256) for generating the message authentication code (MAC). End of change
*RSA_AES_128_GCM_SHA256
Use the Rivest Shamir Adleman (RSA) public key algorithm with the Advanced Encryption Standard (AES) cipher with Galois/Counter mode (GCM) and 128 bit keys. Use Secure Hash Algorithm 256 (SHA256) for generating the message authentication code (MAC).
*RSA_AES_256_GCM_SHA384
Use the RSA public key algorithm with the AES cipher with GCM and 256 bit keys. Use Secure Hash Algorithm 384 (SHA384) for generating the MAC.
*ECDHE_ECDSA_NULL_SHA
Use the Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange algorithm with the Elliptic Curve Digital Signature Algorithm (ECDSA) signature algorithm but do not use any cipher. Use Secure Hash Algorithm 1 (SHA-1) for generating the MAC.
*ECDHE_ECDSA_RC4_128_SHA
Use the ECDHE key exchange algorithm with the ECDSA signature algorithm with the Rivest Cipher 4 (RC4) cipher and 128 bit keys. Use SHA-1 for generating the MAC.
*ECDHE_ECDSA_3DES_EDE_CBC_SHA
Use the ECDHE key exchange algorithm with the ECDSA signature algorithm with the Triple Data Encryption Standard (3DES) cipher with the encrypt/decrypt/encrypt (EDE) and cipher block chaining (CBC) modes and 168 bit keys. Use SHA-1 for generating the MAC.
*ECDHE_RSA_NULL_SHA
Use the ECDHE key exchange algorithm with the RSA public key algorithm but do not use any cipher. Use SHA-1 for generating the MAC.
*ECDHE_RSA_RC4_128_SHA
Use the ECDHE key exchange algorithm with the RSA public key algorithm with the RC4 cipher and 128 bit keys. Use SHA-1 for generating the MAC.
*ECDHE_RSA_3DES_EDE_CBC_SHA
Use the ECDHE key exchange algorithm with the RSA public key algorithm with the 3DES cipher with the EDE and CBC modes and 168 bit keys. Use SHA-1 for generating the MAC.
*ECDHE_ECDSA_AES_128_CBC_SHA256
Use the ECDHE key exchange algorithm with the ECDSA signature algorithm with the AES cipher with CBC and 128 bit keys. Use SHA256 for generating the MAC.
*ECDHE_ECDSA_AES_256_CBC_SHA384
Use the ECDHE key exchange algorithm with the ECDSA signature algorithm with the AES cipher with CBC and 256 bit keys. Use SHA384 for generating the MAC.
*ECDHE_RSA_AES_128_CBC_SHA256
Use the ECDHE key exchange algorithm with the RSA public key algorithm with the AES cipher with CBC and 128 bit keys. Use SHA256 for generating the MAC.
*ECDHE_RSA_AES_256_CBC_SHA384
Use the ECDHE key exchange algorithm with the RSA public key algorithm with the AES cipher with CBC and 256 bit keys. Use SHA384 for generating the MAC.
*ECDHE_ECDSA_AES_128_GCM_SHA256
Use the ECDHE key exchange algorithm with the ECDSA signature algorithm with the AES cipher with GCM and 128 bit keys. Use SHA256 for generating the MAC.
*ECDHE_ECDSA_AES_256_GCM_SHA384
Use the ECDHE key exchange algorithm with the ECDSA signature algorithm with the AES cipher with GCM and 256 bit keys. Use SHA384 for generating the MAC.
*ECDHE_RSA_AES_128_GCM_SHA256
Use the ECDHE key exchange algorithm with the RSA public algorithm with the AES cipher with GCM and 128 bit keys. Use SHA256 for generating the MAC.
*ECDHE_RSA_AES_256_GCM_SHA384
Use the ECDHE key exchange algorithm with the RSA public algorithm with the AES cipher with GCM and 256 bit keys. Use SHA384 for generating the MAC.
Start of change*ECDHE_ECDSA_CHACHA20_POLY1305_SHA256 End of change
Start of change Use the ECDHE key exchange algorithm with the ECDSA signature algorithm with the ChaCha stream cipher with 20 rounds, 96-bit nonce, and 256 bit keys with Poly1305 authenticator. Use SHA256 for generating the MAC. End of change
Start of change *ECDHE_RSA_CHACHA20_POLY1305_SHA256 End of change
Start of change Use the ECDHE key exchange algorithm with the RSA public key algorithm with the ChaCha stream cipher with 20 rounds, 96-bit nonce, and 256 bit keys with Poly1305 authenticator. Use SHA256 for generating the MAC.End of change
*RSA_AES_128_CBC_SHA256
Use the RSA encoding algorithms for the AES cipher with CBC and 128 bit keys. Use Secure Hash Algorithm 256 (SHA256) for generating MAC.
*RSA_AES_128_CBC_SHA
Use the RSA encoding algorithms for the Advanced Encryption Standard (AES) cipher with cipher block chaining (CBC) and 128 bit keys. Use Secure Hash Algorithm (SHA) for generating message authentication codes (MAC).
*RSA_AES_256_CBC_SHA256
Use the RSA encoding algorithms for the AES cipher with CBC and 256 bit keys. Use SHA256 for generating MAC.
*RSA_AES_256_CBC_SHA
Use the RSA encoding algorithms for the AES cipher with CBC and 256 bit keys. Use SHA for generating MAC.
*RSA_3DES_EDE_CBC_SHA
Use the RSA encoding algorithms for the Triple Data Encryption Standard (3DES) cipher with the encrypt/decrypt/encrypt (EDE) and CBC modes and 168 bit keys. Use SHA for generating MAC.
*RSA_RC4_128_SHA
Use the RSA encoding algorithms for Rivest Cipher 4 (RC4) and 128 bit keys. Use SHA for generating MAC.
*RSA_RC4_128_MD5
Use the RSA encoding algorithms for the RC4 cipher and 128 bit keys. Use message digest algorithm 5 (MD5) for generating MAC.
*RSA_DES_CBC_SHA
Use the RSA encoding algorithms for the Data Encryption Standard (DES) cipher with the CBC mode and 56 bit keys. Use SHA for generating MAC.
*RSA_EXPORT_RC2_CBC_40_MD5
Use the RSA encoding algorithms for Rivest Cipher 2 (RC2) with the CBC mode and 40 bit keys. Use MD5 for generating MAC.
*RSA_EXPORT_RC4_40_MD5
Use the RSA encoding algorithms for the RC4 cipher and 40 bit keys. Use MD5 for generating MAC.
*RSA_NULL_SHA256
Use the RSA encoding algorithms but do not use any cipher. Use SHA256 for generating MAC.
*RSA_NULL_SHA
Use the RSA encoding algorithms but do not use any cipher. Use SHA for generating MAC.
*RSA_NULL_MD5
Use the RSA encoding algorithms but do not use any cipher. Use MD5 for generating MAC.
*RSA_RC2_CBC_128_MD5
Use the RSA encoding algorithms for the RC2 cipher with the CBC mode and 128 bit keys. Use MD5 for generating MAC.
*RSA_3DES_EDE_CBC_MD5
Use the RSA encoding algorithms for the 3DES cipher with the EDE and CBC modes and 168 bit keys. Use MD5 for generating MAC.
*RSA_DES_CBC_MD5
Use the RSA encoding algorithms for the DES cipher with the CBC mode and 56 bit keys. Use MD5 for generating MAC.
Note: This system value is not supported on systems running IBM i V5R4, or earlier.