Modifying elliptic curve key length on z/OS

How you modify the GSK_CLIENT_ECURVE_LIST environment variable, to set the list of elliptic curves or supported groups that are specified by the client, as a string consisting of one or more 4-character values in order of preference for use.

Important: You must apply the fix in z/OS® APAR OA61783 to permit certain elliptic curves to be made effective by the operating system, when using TLS 1.2 or TLS1.0 negotiated connections.

You can set this TLS environment variable in the channel initiator startup JCL, using the CEEOPTS DD statement:


CEEOPTS DD DSN=<dataset-name>,DISP=SHR

In the dataset referenced above, specify the list that you want to use, for example:


ENVAR("GSK_CLIENT_ECURVE_LIST=002300240025")

Important: Do not use this CEEOPTS statement with in-stream data, as this prevents the environment variable from being set for all TLS tasks using that statement.

Ensure you reference a sequential dataset, or partitioned dataset member, to allow this to work when using an SSLTASKS value greater than one.

You can also use the server analogue equivalent of GSK_CLIENT_ECURVE_LIST, which is GSK_SERVER_ALLOWED_KEX_ECURVES. See Limiting key exchange elliptic curves for more information.

In addition, see Table 5 in Cipher suite definitions for a list of valid 4-character elliptic curve and supported groups specifications.

The default specification is 00210023002400250019. If TLS V1.3 is enabled, 0029 (x25519) is appended to the end of the default list.