Protocols

#

Related IBM reference pages:

Supported Protocols by OS Version

#

7.3

#
  • TLS 1.2
  • TLS 1.1
  • TLS 1.0
  • SSL v3
  • SSL v2

Note: SSLv2 cannot be used if TLSv1.2 is enabled on the system in the QSSLPCL system value

More info

7.2

#
  • TLS 1.2
  • TLS 1.1
  • TLS 1.0
  • SSL v3
  • SSL v2

Note: SSLv2 cannot be used if TLSv1.2 is supported

More info

7.1

#
  • TLS 1.2
  • TLS 1.1
  • TLS 1.0
  • SSL v3
  • SSL v2

Note: TLS 1.2 requires PTF SI48659 (More info)

Note: SSLv2 cannot be used if TLSv1.2 is supported

More info

6.1

#
  • TLS 1.0
  • TLS 1.0 with SSL v3 compatibility
  • SSL v3
  • SSL v2
  • SSL v3 with SSL v2 compatibility

Note:"Version x with Version y compatibility" means that it will first attempt to negotiate Version x, then attempt Version y if Version x fails. If Version y also fails, the SSL handshake will fail.

V5R4

#
  • TLS 1.0
  • TLS 1.0 with SSL v3 compatibility
  • SSL v3
  • SSL v2
  • SSL v3 with SSL v2 compatibility

Note: "Version x with Version y compatibility" means that it will first attempt to negotiate Version x, then attempt Version y if Version x fails. If Version y also fails, the SSL handshake will fail.

*OPSYS Default Values

#

IBM Reference

7.3

#
  • *TLSV1.2
  • *TLSV1.1
  • *TLSV1

7.2

#
  • *TLSV1.2
  • *TLSV1.1
  • *TLSV1

7.1

#
  • *TLSV1
  • *SSLV3

6.1

#
  • *TLSV1
  • *SSLV3

Cipher Suites

#

View Enabled Suites

#

DSPSYSVAL SYSVAL(QSSLCSL)

PTFs that Disabled Cipher Suites

#

7.3

#

MF62780 - Remove 3DES from System SSL/TLS default

7.2

#

MF62778 - Remove 3DES from System SSL/TLS default

MF61243 - Remove RSA_MD5 from System SSL/TLS default

MF60333 - Remove SSLv3 and RC4 from System SSL default

7.1

#

MF62779 - Remove 3DES from System SSL/TLS default

MF61242 - Remove RSA_MD5 from System SSL/TLS default

MF60335 - Remove SSLv3 and RC4 from System SSL default

6.1/6.1.1

#

MF62786/MF62785 - Remove 3DES from System SSL/TLS default

MF60331/MF60338 - Remove SSLv3 and RC4 from System SSL default

Using SST/SSLCONFIG to Re-Enable Cipher Suites

#

To change the System SSL settings with the Start System Service Tools (STRSST) command, follow these steps:

  1. Open a character-based interface.
  2. On the command line, type STRSST.
  3. Type your service tools user name and password.
  4. Select option 1 (Start a service tool).
  5. Select option 4 (Display/Alter/Dump).
  6. Select option 1 (Display/Alter storage).
  7. Select option 2 (Licensed Internal Code (LIC) data).
  8. Select option 14 (Advanced analysis).
  9. Select option 1 (SSLCONFIG).
  10. Enter -h

This will show the help screen that describes the input strings to change the System SSL setting for -eligibleDefaultProtocols and -eligibleDefaultCipherSuites.

View as Markdown