# Security system values: Transport Layer Security cipher specification list

The Transport Layer Security (TLS) specification list system value is also known as QSSLCSL. You can use this system value to define the System TLS cipher specification list.

Quick reference | |
---|---|

Location | From IBM® Navigator for i, select . Click on Security and click Properties, then select the System TLS tab. |

Special authority | Input/output (I/O) system configuration (*IOSYSCFG), all object (*ALLOBJ), and security administrator (*SECADM). |

Default value | *AES_128_GCM_SHA256 *AES_256_GCM_SHA384 *CHACHA20_POLY1305_SHA256 *ECDHE_ECDSA_AES_128_GCM_SHA256 *ECDHE_ECDSA_AES_256_GCM_SHA384 *ECDHE_RSA_AES_128_GCM_SHA256 *ECDHE_RSA_AES_256_GCM_SHA384 *ECDHE_ECDSA_CHACHA20_POLY1305_SHA256 *ECDHE_RSA_CHACHA20_POLY1305_SHA256 |

Changes take effect | Immediately for all subsequent System TLS sessions. |

Lockable | Yes. (See Lock function of security-related system values for details.) |

## What can I do with this system value?

If you specify the Use user-defined (*USRDFN) option for the Transport Layer Security cipher control (QSSLCSLCTL) system value, you can define the Transport Layer Security cipher specification list (QSSLCSL) system value. If the QSSLCSLCTL system value is system defined, the QSSLCSL system value is read-only.

The System TLS property page lists all the TLS protocol values supported by System TLS. System TLS uses the sequence of the values in the QSSLCSL system value to order the default cipher specification list. The default cipher specification list entries are system defined and can change with different releases. If a default cipher suite is removed from the QSSLCSL system value, the cipher suite is removed from the default list. The default cipher suite is added back to the default cipher specification list when it is added back into the QSSLCSL system value. The System TLS property page lists all the TLS protocol values supported by System TLS. System TLS uses the sequence of the values in the QSSLCSL system value to order the default cipher specification list. The default cipher specification list entries are system defined and can change with different releases. If a default cipher suite is removed from the QSSLCSL system value, the cipher suite is removed from the default list. The default cipher suite is added back to the default cipher specification list when it is added back into the QSSLCSL system value. The default cipher specification list values, but not order, can also be changed by using System Service Tools (SST) Advanced Analysis command SSLCONFIG. You cannot add other cipher suites to the default list beyond the set that the system defines as eligible for the release.

You cannot add a cipher suite to the QSSLCSL system value if the required TLS protocol value for the cipher suite is not set for the Transport Layer Security protocols (QSSLPCL) system value.

This system value can have the following values:

- *AES_128_GCM_SHA256
- Use the Advanced Encryption Standard (AES) cipher with Galois/Counter mode (GCM) and 128 bit keys. Use Secure Hash Algorithm 256 (SHA256) for generating the message authentication code (MAC).
- *AES_256_GCM_SHA384
- Use the Advanced Encryption Standard (AES) cipher with Galois/Counter mode (GCM) and 256 bit keys. Use Secure Hash Algorithm 384 (SHA384) for generating the message authentication code (MAC).
- *CHACHA20_POLY1305_SHA256
- Use the ChaCha stream cipher with 20 rounds, 96-bit nonce, and 256 bit keys with Poly1305 authenticator. Use Secure Hash Algorithm 256 (SHA256) for generating the message authentication code (MAC).
- *RSA_AES_128_GCM_SHA256
- Use the Rivest Shamir Adleman (RSA) public key algorithm with the Advanced Encryption Standard (AES) cipher with Galois/Counter mode (GCM) and 128 bit keys. Use Secure Hash Algorithm 256 (SHA256) for generating the message authentication code (MAC).
- *RSA_AES_256_GCM_SHA384
- Use the RSA public key algorithm with the AES cipher with GCM and 256 bit keys. Use Secure Hash Algorithm 384 (SHA384) for generating the MAC.
- *ECDHE_ECDSA_NULL_SHA
- Use the Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange algorithm with the Elliptic Curve Digital Signature Algorithm (ECDSA) signature algorithm but do not use any cipher. Use Secure Hash Algorithm 1 (SHA-1) for generating the MAC.
- *ECDHE_ECDSA_RC4_128_SHA
- Use the ECDHE key exchange algorithm with the ECDSA signature algorithm with the Rivest Cipher 4 (RC4) cipher and 128 bit keys. Use SHA-1 for generating the MAC.
- *ECDHE_ECDSA_3DES_EDE_CBC_SHA
- Use the ECDHE key exchange algorithm with the ECDSA signature algorithm with the Triple Data Encryption Standard (3DES) cipher with the encrypt/decrypt/encrypt (EDE) and cipher block chaining (CBC) modes and 168 bit keys. Use SHA-1 for generating the MAC.
- *ECDHE_RSA_NULL_SHA
- Use the ECDHE key exchange algorithm with the RSA public key algorithm but do not use any cipher. Use SHA-1 for generating the MAC.
- *ECDHE_RSA_RC4_128_SHA
- Use the ECDHE key exchange algorithm with the RSA public key algorithm with the RC4 cipher and 128 bit keys. Use SHA-1 for generating the MAC.
- *ECDHE_RSA_3DES_EDE_CBC_SHA
- Use the ECDHE key exchange algorithm with the RSA public key algorithm with the 3DES cipher with the EDE and CBC modes and 168 bit keys. Use SHA-1 for generating the MAC.
- *ECDHE_ECDSA_AES_128_CBC_SHA256
- Use the ECDHE key exchange algorithm with the ECDSA signature algorithm with the AES cipher with CBC and 128 bit keys. Use SHA256 for generating the MAC.
- *ECDHE_ECDSA_AES_256_CBC_SHA384
- Use the ECDHE key exchange algorithm with the ECDSA signature algorithm with the AES cipher with CBC and 256 bit keys. Use SHA384 for generating the MAC.
- *ECDHE_RSA_AES_128_CBC_SHA256
- Use the ECDHE key exchange algorithm with the RSA public key algorithm with the AES cipher with CBC and 128 bit keys. Use SHA256 for generating the MAC.
- *ECDHE_RSA_AES_256_CBC_SHA384
- Use the ECDHE key exchange algorithm with the RSA public key algorithm with the AES cipher with CBC and 256 bit keys. Use SHA384 for generating the MAC.
- *ECDHE_ECDSA_AES_128_GCM_SHA256
- Use the ECDHE key exchange algorithm with the ECDSA signature algorithm with the AES cipher with GCM and 128 bit keys. Use SHA256 for generating the MAC.
- *ECDHE_ECDSA_AES_256_GCM_SHA384
- Use the ECDHE key exchange algorithm with the ECDSA signature algorithm with the AES cipher with GCM and 256 bit keys. Use SHA384 for generating the MAC.
- *ECDHE_RSA_AES_128_GCM_SHA256
- Use the ECDHE key exchange algorithm with the RSA public key algorithm with the AES cipher with GCM and 128 bit keys. Use SHA256 for generating the MAC.
- *ECDHE_RSA_AES_256_GCM_SHA384
- Use the ECDHE key exchange algorithm with the RSA public key algorithm with the AES cipher with GCM and 256 bit keys. Use SHA384 for generating the MAC.
- *ECDHE_ECDSA_CHACHA20_POLY1305_SHA256
- Use the ECDHE key exchange algorithm with the ECDSA signature algorithm with the ChaCha stream cipher with 20 rounds, 96-bit nonce, and 256 bit keys with Poly1305 authenticator. Use SHA256 for generating the MAC.
- *ECDHE_RSA_CHACHA20_POLY1305_SHA256
- Use the ECDHE key exchange algorithm with the RSA public key algorithm with the ChaCha stream cipher with 20 rounds, 96-bit nonce, and 256 bit keys with Poly1305 authenticator. Use SHA256 for generating the MAC.
- *RSA_AES_128_CBC_SHA256
- Use the RSA encoding algorithms for the AES cipher with CBC and 128 bit keys. Use Secure Hash Algorithm 256 (SHA256) for generating MAC.
- *RSA_AES_128_CBC_SHA
- Use the RSA encoding algorithms for the Advanced Encryption Standard (AES) cipher with cipher block chaining (CBC) and 128 bit keys. Use Secure Hash Algorithm (SHA) for generating message authentication codes (MAC).
- *RSA_AES_256_CBC_SHA256
- Use the RSA encoding algorithms for the AES cipher with CBC and 256 bit keys. Use SHA256 for generating MAC.
- *RSA_AES_256_CBC_SHA
- Use the RSA encoding algorithms for the AES cipher with CBC and 256 bit keys. Use SHA for generating MAC.
- *RSA_3DES_EDE_CBC_SHA
- Use the RSA encoding algorithms for the Triple Data Encryption Standard (3DES) cipher with the encrypt/decrypt/encrypt (EDE) and CBC modes and 168 bit keys. Use SHA for generating MAC.
- *RSA_RC4_128_SHA
- Use the RSA encoding algorithms for Rivest Cipher 4 (RC4) and 128 bit keys. Use SHA for generating MAC.
- *RSA_RC4_128_MD5
- Use the RSA encoding algorithms for the RC4 cipher and 128 bit keys. Use message digest algorithm 5 (MD5) for generating MAC.
- *RSA_DES_CBC_SHA
- Use the RSA encoding algorithms for the Data Encryption Standard (DES) cipher with the CBC mode and 56 bit keys. Use SHA for generating MAC.
- *RSA_EXPORT_RC2_CBC_40_MD5
- Use the RSA encoding algorithms for Rivest Cipher 2 (RC2) with the CBC mode and 40 bit keys. Use MD5 for generating MAC.
- *RSA_EXPORT_RC4_40_MD5
- Use the RSA encoding algorithms for the RC4 cipher and 40 bit keys. Use MD5 for generating MAC.
- *RSA_NULL_SHA256
- Use the RSA encoding algorithms but do not use any cipher. Use SHA256 for generating MAC.
- *RSA_NULL_SHA
- Use the RSA encoding algorithms but do not use any cipher. Use SHA for generating MAC.
- *RSA_NULL_MD5
- Use the RSA encoding algorithms but do not use any cipher. Use MD5 for generating MAC.
- *RSA_RC2_CBC_128_MD5
- Use the RSA encoding algorithms for the RC2 cipher with the CBC mode and 128 bit keys. Use MD5 for generating MAC.
- *RSA_3DES_EDE_CBC_MD5
- Use the RSA encoding algorithms for the 3DES cipher with the EDE and CBC modes and 168 bit keys. Use MD5 for generating MAC.
- *RSA_DES_CBC_MD5
- Use the RSA encoding algorithms for the DES cipher with the CBC mode and 56 bit keys. Use MD5 for generating MAC.