Kisco Systems

Kisco U

TLS and cipher suites

Home : Kisco U : TLS and cipher suites

A cipher is an algorithm that lays out the general principles of securing a network through TLS (the security protocol used by modern SSL certificates). A cipher suite comprises several ciphers working together, each having a different cryptographic function, such as key generation and authentication. The cipher suites used are dictated by the version of TLS that’s configured on your server.

In practice, there is a "handshake" process between the client and server. In the most simple terms, this is a series of messages wherein the server’s public key and SSL certificate is authenticated, culminating in the creation of a session key, which is what encrypts the connection between the client and the server.

Cipher suites dictate how the entire process plays out. The client sends the server a list of the cipher suites it supports, and the server will choose a mutually supported cipher suite that it deems most secure. Depending on the version of TLS being used, this may happen before the handshake or in the very first step.

A cipher suite looks different depending on which version of the TLS protocol is being used. The current standards are TLS 1.2 and 1.3. While 1.3 is the newer and more secure version, 1.2 is still widely used. The difference between these two versions is evident from the number of Ciphers they use and the length of their cipher suites. There are 37 ciphers for TLS 1.2, while TLS 1.3 only has five. For example:

TLS 1.2 cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS 1.3 cipher suite: TLS_AES_256_GCM_SHA384

On IBM i you can choose your TLS level and you can choose which cipher suites to use with it.

This list of cipher suites from IBM will tell you which ones are no longer considered secure:

Working with ciphers

The QSSLCSL system value will tell you which ciphers are installed on your system.

Also in IBM i nav:

Its possible that you are running a current TLS suite, but are using it with an insecure cipher suite.

Read more about monitoring TLS connections.