Modifying elliptic curve key length on z/OS
How you modify the GSK_CLIENT_ECURVE_LIST environment variable, to set the list of elliptic curves or supported groups that are specified by the client, as a string consisting of one or more 4-character values in order of preference for use.
CEEOPTS DD DSN=<dataset-name>,DISP=SHR
In the dataset referenced above, specify the
list that you want to use, for example:
ENVAR(“GSK_CLIENT_ECURVE_LIST=002300240025”)
Ensure you reference a sequential dataset, or partitioned dataset member, to allow this to work when using an SSLTASKS value greater than one.
You can also use the server analogue equivalent of GSK_CLIENT_ECURVE_LIST, which is GSK_SERVER_ALLOWED_KEX_ECURVES. See Limiting key exchange elliptic curves for more information.
In addition, see Table 5 in Cipher suite definitions for a list of valid 4-character elliptic curve and supported groups specifications.
The default specification is 00210023002400250019
. If TLS V1.3 is enabled,
0029 (x25519)
is appended to the end of the default list.