After applying PTF SO12236, Common Components and Services (CCS) 15.0 supports TLS 1.3 on z/OS 2.4 and higher.

Note that PTF SO12236 enables TLS 1.3 capability but does not activate it by default. System administrators must manually update the configuration to transition from TLS 1.2 to TLS 1.3. 

This article provides the configuration requirements for the //NETPARM DD member, specifically focusing on how to define required cipher suites and elliptic curve named groups.

CCS 15.0

TLS 1.3

z/OS 2.4 and higher

To enable TLS 1.3, update the //NETPARM member used by your CCISSL or CCISSLGW tasks with the following parameters:

1. Cipher Suites (CIPHER_SUITES=)

TLS 1.3 uses a completely different set of cipher suites compared to previous versions. You must include these if you wish to support TLS 1.3. Common TLS 1.3 ciphers include:

• TLS_AES_128_GCM_SHA256 (Hex: 1301)
• TLS_AES_256_GCM_SHA384 (Hex: 1302)
• TLS_CHACHA20_POLY1305_SHA256 (Hex: 1303)

Note: If you are supporting multiple protocol versions (e.g., PROT=TLS), ensure you list both TLS 1.3 and TLS 1.2 ciphers in your suite list.

2. Named Groups / Elliptic Curves (ECURVE=)

TLS 1.3 requires the definition of supported elliptic curves for the key exchange. These are specified using the ECURVE parameter. You can specify these by their common name or their 4-digit hexadecimal identifier.

• Example names: SECP256R1, X25519, X448.
• Syntax: ECURVE=(SECP256R1,X25519,X448)

Example NETPARM Configuration

ECURVE=(SECP256R1,SECP384R1,X25519)

CIPHER_SUITES=(1301,1302,C02B,C02F)