![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
SSL cipher specifications
When an SSL connection is established, the client (web browser) and the web server negotiate the cipher to use for the connection. The web server has an ordered list of ciphers, and the first cipher in the list that is supported by the client is selected.
Introduction
View the list of current of SSL ciphers.
Attention: This list of ciphers could change
as a result of updates to industry standards. You can determine the list of ciphers supported in a
particular version of IBM® HTTP Server by configuring it to
load mod_ibm_ssl and running bin/apachectl -t -f path/to/httpd.conf
-DDUMP_SSL_CIPHERS.
The SSLFIPSEnable directive enables Federal Information Processing Standards (FIPS). When the SSLFIPSEnable directive is enabled, the set of ciphers available is restricted as shown, and SSLv2 and SSLv3 are disabled as well as TLSv11 and TLSv12. Only TLSv10 is enabled for FIPS compliance.

- Ciphers should be enabled via their "long name".
- Ciphers containing "ECDHE_RSA" in their name use a standard RSA certificate and can coexist with older RSA ciphers and clients.
- Ciphers containing "ECDHE_ECDSA" in their name requires an ECC (Elliptic Curve Cryptography) certificate/key to be created (with gskcapicmd if you are running on a distributed platform, or gskkyman if you are running on z/OS®).
On z/OS, several criteria must be met to use "ECDHE" ciphers:
- z/OS V1R13 with OA39422, or later, is required to use TLSv1.2 on z/OS.
- ICSF must be available to use ECC or AES-GCM ciphers. See "RACF® CSFSERV Resource Requirements" in the z/OS Cryptographic Services System SSL Programming for more information.
SSL and TLS ciphers
Attention: Note the following SSL and TLS cipher values:
- - = cipher that is not valid for the protocol
- d = cipher is enabled by default
- y = cipher is valid but not enabled by default
Attention: TLS v1.1 and v1.2 are available on the z/OS operating system on version V1R13 with OA39422, or later.

Short name | Long name | Key size (bits) | FIPS | SSLV2 | SSLV3 | TLSv10 | TLSv11 | TLSv12 |
---|---|---|---|---|---|---|---|---|
35 | SSL_RSA_WITH_RC4_128_SHA | 128 | - | - | Y | Y | Y | Y |
34 | SSL_RSA_WITH_RC4_128_MD5 | 128 | - | - | Y | Y | Y | - |
9C | TLS_RSA_WITH_AES_128_GCM_SHA256 | 128 | Y | - | - | - | - | d |
9D | TLS_RSA_WITH_AES_256_GCM_SHA384 | 256 | Y | - | - | - | - | d |
3C | TLS_RSA_WITH_AES_128_CBC_SHA256 | 128 | Y | - | - | - | - | d |
3D | TLS_RSA_WITH_AES_256_CBC_SHA256 | 256 | Y | - | - | - | - | d |
2F | TLS_RSA_WITH_AES_128_CBC_SHA | 128 | Y | - | Y | d | d | d |
35b | TLS_RSA_WITH_AES_256_CBC_SHA | 256 | Y | - | Y | d | d | d |
3A | SSL_RSA_WITH_3DES_EDE_CBC_SHA | 168 | Y | - | Y | Y | Y | Y |
C007 | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | 128 | Y | - | - | - | - | Y* |
C008 | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | 168 | Y | - | - | - | - | Y* |
C009 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | 128 | Y | - | - | - | - | d* |
C00A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | 256 | Y | - | - | - | - | d* |
C010 | TLS_ECDHE_RSA_WITH_NULL_SHA | 0 | Y | - | - | - | - | Y* |
C011 | TLS_ECDHE_RSA_WITH_RC4_128_SHA | 128 | Y | - | - | - | - | Y* |
C012 | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | 168 | Y | - | - | - | - | Y* |
C013 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 128 | Y | - | - | - | - | d* |
C014 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 256 | Y | - | - | - | - | d* |
C023 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 128 | Y | - | - | - | - | d* |
C024 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 256 | Y | - | - | - | - | d* |
C027 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 128 | Y | - | - | - | - | d* |
C028 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 256 | Y | - | - | - | - | d* |
C02B | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 128 | Y | - | - | - | - | d* |
C02C | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 256 | Y | - | - | - | - | d* |
C02F | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 128 | Y | - | - | - | - | d* |
C030 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 256 | Y | - | - | - | - | d* |
Note: ECDHE ciphers are enabled by default for TLSv1.2, except on z/OS platforms (denoted with d*).
![[9.0.0.6 or later]](../images/ng9006.gif)
Weaker ciphers, not enabled by default:
Short name | Long name | Key size (bits) | FIPS | SSLV2 | SSLV3 | TLSv10 | TLSv11 | TLSv12 |
---|---|---|---|---|---|---|---|---|
39 | SSL_RSA_WITH_DES_CBC_SHA | 56 | - | - | y | y | y | - |
33 | SSL_RSA_EXPORT_WITH_RC4_40_MD5 | 40 | - | - | y | y | - | - |
36 | SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 | 40 | - | - | y | y | - | - |
62 | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | 56 | - | - | y | y | - | - |
64 | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | 56 | - | - | y | y | - | - |
32 | SSL_RSA_WITH_NULL_SHA | 0 | - | - | y | y | y | y |
31 | SSL_RSA_WITH_NULL_MD5 | 0 | - | - | y | y | y | - |
3B | TLS_RSA_WITH_NULL_SHA256 | 0 | Y | - | - | - | - | y |
30 | SSL_NULL_WITH_NULL_NULL | 0 | - | - | y | y | y | y |
27 | SSL_DES_192_EDE3_CBC_WITH_MD5 | 168 | - | y | - | - | - | - |
21 | SSL_RC4_128_WITH_MD5 | 128 | - | y | - | - | - | - |
23 | SSL_RC2_CBC_128_CBC_WITH_MD5 | 128 | - | y | - | - | - | - |
26 | SSL_DES_64_CBC_WITH_MD5 | 56 | - | y | - | - | - | - |
24 | SSL_RC2_CBC_128_CBC_EXPORT40_WITH_MD5 | 40 | - | y | - | - | - | - |
22 | SSL_RC4_128_EXPORT40_WITH_MD5 | 40 | - | y | - | - | - | - |
FE | SSL_RSA_FIPS_WITH_DES_CBC_SHA | 56 | - | - | - | - | - | - |
FF | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | 168 | - | - | - | - | - | - |