Variants of Diffie-Hellman

There are three main variants of Diffie-Hellman in SSL/TLS.

Anonymous mode: Anonymous mode does not use authentication and is therefore vulnerable to man-in-the-middle attacks. You should not use anonymous Diffie-Hellman.
Static mode: Static Diffie-Hellman reuses at least one of the two DH private keys unchanged for all connections. If both DH private keys are reused, the term "static-static" is used. If only one side uses the same key, the term is “ephemeral-static”. In some implementations, it might make sense to have one static DH private key, especially on the server side, for performance reasons.
Ephemeral mode: Ephemeral Diffie-Hellman generates a new temporary DH private key for every connection, which enables PFS. When both sides always create new DH private keys for new connections, this is called “ephemeral-ephemeral”.

On z/VSE, only ephemeral mode is supported. The VSE side always creates a new DH private key for a new connection. It is not possible to provide a pre-generated DH private key to the API. The related SSL cipher suites are all prefixed with DHE-RSA. The next section shows how to set up and use DHE-RSA on z/VSE.