CIPHERSUITE (FTP client) statement

Use the CIPHERSUITE statement to specify the name of a cipher algorithm that is used during the TLS handshake. Indicates the client’s preference of cipher algorithms.

Note: This parameter is only meaningful if TLSMECHANISM FTP is specified. If TLSMECHANISM ATTLS is specified, then the cipher suites must be configured in the AT-TLS policy.

Syntax

Read syntax diagramSkip visual syntax diagramCIPHERSUITEname

Parameters

name

The name of the cipher algorithm. The following values are allowed name values:

  • SSL_NULL_MD5
  • SSL_NULL_SHA
  • SSL_RC4_MD5_EX
  • SSL_RC4_MD5
  • SSL_RC4_SHA
  • SSL_RC2_MD5_EX
  • SSL_DES_SHA
  • SSL_3DES_SHA
  • SSL_AES_128_SHA
  • SSL_AES_256_SHA
The name can be interpreted as follows: 
SSL_<cipher>_<cipher hash>[_EX]
<cipher> specifies one of the following encryption algorithms:
AES_128
128–bit AES; Advanced Encryption Standard is established by the National Institute of Standards and Technology (NIST).
AES_256
256–bit AES; Advanced Encryption Standard is established by the National Institute of Standards and Technology (NIST).
RC2
Block cipher developed at RSA Data Security
RC4
Stream cipher developed at RSA Data Security
DES
Digital Encryption Standard (56 bits of security)
3DES
Digital Encryption Standard (168 bits of security)
NULL
No algorithm is used. NULL indicates that there is no key exchange.
<cipher hash> specifies one of the following authentication algorithms:
MD5
Algorithm that converts to fixed size (16 bytes)
SHA
Secure Hash Algorithm that converts to a 20-byte output

The suffix _EX indicates that the corresponding cipher suite is exportable.

Restrictions:
  • The following list shows the subject to export restrictions and might not be available outside of the United States:
    • SSL_3DES_SHA
    • SSL_RC4_SHA
    • SSL_RC4_MD5
    • SSL_AES_128_SHA
    • SSL_AES_256_SHA
  • Only RSA key exchange is supported.

Examples

To indicate that you want to use the 3DES encryption and SHA authentication as your first choice, and that RC4 encryption and MD5 authentication are your second choice, code the following examples:

CIPHERSUITE SSL_3DES_SHA
CIPHERSUITE SSL_RC4_MD5

Authorization

  • Multiple CIPHERSUITE statements can be coded in the FTP.DATA file.
  • The client specifies the list of encryption types that it supports. The client and server negotiate which of the available ciphers is used for the data encryption by specifying the desired ciphers in order of preference. The actual cipher used is the best match between what the server supports and what the client requests. If the server does not support any of the ciphers that the client requests, the TLS handshake fails and the connection is closed. See the z/OS Cryptographic Services System SSL Programming for a list of ciphers that are included in the base product.
  • The CIPHERSUITE statements are used by the FTP client when meeting the following 2 requirements:
    • the SECURE_MECHANISM TLS and TLSMECHANISM FTP statements are coded
    • the FTP client is started with either the -a TLS or the -r TLS start parameter

Related topics