The SHOW.CIPHERLIST procedure facilitates selection of the appropriate
tlsCipherSuite option (see "-tlsCipherSuite - Specify a cipher suite preference list") in the option files of FTP client and FTP server.
-Z CipherSuite option (see "-Z CipherSuite - Specify a cipher suite preference list") in the option files of TELNET client and TELNET server.
- CIPHER_SUITE-Option (see " POP3/IMAP servers: SERVER parameter section ") in the Mail Reader configuration file.
- tlsCipherSuite option (see Administrator Guide) in the Mail Sender backend configuration file.
SHOW.CIPHERLIST has two parameters.
Parameter
VERBOSITY
This parameter can take three values: LOW, MEDIUM or HIGH, where the default is LOW. With the value LOW the output is a list of cipher suites separated by colons. This list can (after optionally adding or removing some suites or reordering) be used alternatively for cipher suite specification with the options named at the outset.
With the parameter value MEDIUM the output contains for every cipher suite a line with informations describing the properties of the respective suite (SSL/TLS version, with which the cipher suite was introduced, Kx = symmetric key exchange method, Au = authentication method, Enc = symmetric encryption method and key length, Mac = hash method). With parameter value HIGH the output contains additionally the official identifying numbers of the cipher suites as hex values.
PROTOCOL
This parameter reduces the cipher suite list to ciphers, which can be used, when the specified TLS protocol is negotiated. Possible values are currently TLS1.2 and TLS1.3, where TLS1.2 is the default.
Procedure run
After it is started, SHOW.CIPHERLIST asks for the cipher suite to be specified. Once you have entered this specification, SHOW.CIPHERLIST outputs a list of cipher suites, one beneath the other and separated by colons (:). In the handshake procedure, an FTP client started with this option would send this list (in this order) to the server as acceptable cipher suites. The order is relevant here as most servers select the first suite in this list which is included in the set of cipher suites it accepts.
After the list has been output, SHOW.CIPHERLIST asks again for a cipher suite to be specified. As soon as you have found the required option string, you can terminate the procedure by entering quit.
Example
/CALL-PROCEDURE *LIB($.SYSSPR.TCP-IP-AP.nnn,SHOW.CIPHERLIST),(VERBOSITY=LOW)
SSL Cipher List Show Utility Copyright (c) [...] Fujitsu Technology Solutions GmbH, All Rights Reserved Show SSL Cipher List corresponding to cipher selection string. ------------------------------------------------------------------------------- %Cipher selection string: ALL:!ADH:!AECDH:!NULL:!SEED:!CAMELLIA:!ARIA
% BLS0523 ELEMENT 'OPENSSL' [...] ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA 384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-P OLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM :DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA- AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDS A-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:ECDH E-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES2 56-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA25 6:DHE-DSS-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES2 56-SHA:DHE-DSS-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AE S128-SHA:DHE-DSS-AES128-SHA:AES256-GCM-SHA384:AES256-CCM8:AES256-CCM:AES128-GCM- SHA256:AES128-CCM8:AES128-CCM:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA Cipher selection string: ALL:!ADH:!AECDH:!NULL:!SEED:!CAMELLIA:!ARIA:-CHACHA20:
-ECDH:ECDH
% BLS0523 ELEMENT 'OPENSSL' [...] DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM8:DHE-RSA- AES256-CCM:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CC M8:DHE-RSA-AES128-CCM:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128 -SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES1 28-SHA:DHE-DSS-AES128-SHA:AES256-GCM-SHA384:AES256-CCM8:AES256-CCM:AES128-GCM-SH A256:AES128-CCM8:AES128-CCM:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:EC DHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8: ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256 :ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES256-SHA384:ECDHE- RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA- AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDH E-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 %Cipher selection string: quit
/CALL-PROCEDURE *LIB($.SYSSPR.TCP-IP-AP.nnn,SHOW.CIPHERLIST),(VERBOSITY=MEDIUM)
SSL Cipher List Show Utility Copyright (c) [...] Fujitsu Technology Solutions GmbH, All Rights Reserved Show SSL Cipher List corresponding to cipher selection string. ------------------------------------------------------------------------------- %Cipher selection string: kRSA:!ARIA:!CAMELLIA:!SEED
% BLS0523 ELEMENT 'OPENSSL' [...] AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES256-CCM8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(256) Mac=AEAD AES256-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(256) Mac=AEAD AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-CCM8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(128) Mac=AEAD AES128-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(128) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 %Cipher selection string: quit
|