Transport Layer Security

Description
Transport Layer Security (TLS) is a protocol for encrypting and authenticating computer communications. TLS is still often referred to by the name of its predecessor, the Secure Sockets Layer (SSL).

x3270 supports TLS for host sessions. It generally tries to use the most recent version of TLS supported by the workstation platform.

TLS Implementations
On Linux and other Unix-like platforms, x3270 uses the [OpenSSL] library.

On MacOS, x3270 uses the Secure Transport facility.

On Microsoft Windows, x3270 uses the Schannel facility.

The full protocol stack is documented here.

Protocol negotiation
x3270 can use TLS in one of two ways, either through an encrypted tunnel or via TELNET option negotiation.

An encrypted tunnel is signaled by the L prefix on the host name (or by an explicit option in the user interface). As soon as the TCP session to the host is established, x3270 begins TLS negotiations, and the entire session is TLS-encrypted.

Without an encrypted tunnel, x3270 waits for the host to begin TELNET negotiation instead. One of the options the host can request is DO STARTTLS, which x3270 will accept with WILL STARTTLS. Once STARTTLS messages have been exchanged, TLS negotiation begins, and the remainder of the session is TLS-encrypted.

Some hosts require an encrypted tunnel, but others support either mode via a timeout. When a host supports either mode, it waits for the emulator to begin TLS negotiations. If no TLS negotiation comes within a few seconds, the host begins TELNET negotiation, and requests STARTTLS. Thus, if you know that your host is going to request an encrypted session anyway, it is faster to specify an encrypted tunnel in x3270.

Security indication
In x3270, c3270, wc3270 and wx3270, the TLS state of a session is indicated in the Operator Information Area.

In s3270, the TLS state can be found through the Tls query.

Options
TLS can be controlled by a number of different settings. See TLS resources.

Each connection can also have its own TLS-related parameters. See TLS prefixes and accept name.