/
CTL_SSL_CIPHER_LIST - UDM Manager configuration option

CTL_SSL_CIPHER_LIST - UDM Manager configuration option

Mar 07, 2023

 Description

The CTL_SSL_CIPHER_LIST option specifies the acceptable and preferred SSL/TLS cipher suites to use for the control session between UDM components, or it can be used to disable the SSL/TLS protocol.

The SSL/TLS protocol uses the cipher suites to specify which encryption and message authentication (or message digest) algorithms to use.

Usage

Method

Syntax

IBM i

UNIX

Windows

z/OS

Command Line, Short Form

n/a

 

 

 

 

Command Line, Long Form

-ctl_ssl_cipher_list list

 

Environment Variable

UDMCTLSSLCIPHERLIST=list

 

Configuration File Keyword

ctl_ssl_cipher_list list

STRUDM Parameter

CTLCPHRLST(cipherlist)

 

 

 

Values

list is a comma-separated list of SSL/TLS cipher suites. The following table identifies the list of SSL/TLS cipher suites supported for this option.

The list is in default order, with the most preferred suite first and the least preferred suite last.
 

Cipher Suite Name

Description

Cipher Suite Name

Description

AES256-GCM-SHA384

256-bit AES encryption in Galois Counter Mode, SHA-2 384-bit message digest.

AES256-SHA

256-bit AES encryption with SHA-1 message digest.

AES128-GCM-SHA256

128-bit AES encryption in Galois Counter Mode, SHA-2 256-bit message digest.

AES128-SHA

128-bit AES encryption with SHA-1 message digest.

ECDHE-RSA-AES256-GCM-SHA384

Ephemeral Elliptic Curve Diffie-Hellman Key Exchange, RSA authentication, 256-bit AES encryption in Galois Counter Mode, SHA-2 384-bit message digest.

ECDHE-ECDSA-AES256-GCM-SHA384

Ephemeral Elliptic Curve Diffie-Hellman Key Exchange, ECDSA authentication, 256-bit AES encryption in Galois Counter Mode, SHA-2 384-bit message digest.

ECDHE-RSA-AES128-GCM-SHA256

Ephemeral Elliptic Curve Diffie-Hellman Key Exchange, RSA authentication, 128-bit AES encryption in Galois Counter Mode, SHA-2 256-bit message digest.

ECDHE-ECDSA-AES128-GCM-SHA256

Ephemeral Elliptic Curve Diffie-Hellman Key Exchange, ECDSA authentication, 128-bit AES encryption in Galois Counter Mode, SHA-2 256-bit message digest.

RC4-SHA

128-bit RC4 encryption with SHA-1 message digest.

RC4-MD5

128-bit RC4 encryption with MD5 message digest.

DES-CBC3-SHA

128-bit Triple-DES encryption with SHA-1 message digest.

DES-CBC-SHA
                                     

128-bit DES encryption with SHA-1 message digest.
 

Note

As of Universal Agent 6.7.0.0, DES-CBC-SHA is supported only on HP-UX.
 
Additionally, any Agents on HP-UX that accept connections from, or attempt connections to, Agents on other platforms must be configured with at least one currently supported cipher suite besides DES-CBC-SHA. Therefore, those HP-UX Agents cannot be configured only with DES-CBC-SHA in their list of cipher suites.

NULL-SHA256

No encryption and SHA-2 256-bit message digest.

NULL-SHA

No encryption and SHA-1 message digest.

NULL-MD5

No encryption and MD5 message digest.

NULL-NULL

No encryption, no data authentication, SSL is not used; instead, Universal V2 Protocol(UNVv2) is used.

A single value of NULL-NULL instead of the list disables the SSL/TLS protocol. The legacy Universal Products (UNVv2) protocol without encryption and message authentication is used instead of SSL/TLS.

No data privacy or data integrity is provided with the UNVv2 network communications protocol.

NULL-NULL can be specified if the UDM Server ENCRYPT_CONTROL_SESSION configuration option value is no.