Transport Layer Security (TLS) is a protocol for encrypting and authenticating computer communications. TLS is still often referred to by the name of its predecessor, the Secure Sockets Layer (SSL).
The x3270 family supports TLS for host sessions. It generally tries to use the most recent version of TLS supported by the workstation platform.
On macOS, x3270 uses the Secure Transport facility.
On Microsoft Windows, the x3270 family uses the Schannel facility.
x3270 can use TLS in one of two ways, either through an encrypted tunnel or via TELNET option negotiation.
An encrypted tunnel is signaled by the L: prefix on the host name (or by an explicit option in the user interface). As soon as the TCP session to the host is established, x3270 begins TLS negotiations, and the entire session is TLS-encrypted.
Without an encrypted tunnel, the emulator waits for the host to begin TELNET negotiation instead. One of the options the host can request is DO STARTTLS, which x3270 will accept with WILL STARTTLS. Once STARTTLS messages have been exchanged, TLS negotiation begins, and the remainder of the session is TLS-encrypted.
Some hosts require an encrypted tunnel, but others support either mode via a timeout. When a host supports either mode, it waits for the emulator to begin TLS negotiations. If no TLS negotiation comes within a few seconds, the host begins TELNET negotiation, and requests STARTTLS. Thus, if you know that your host is going to request an encrypted session anyway, it is faster to specify an encrypted tunnel.
TLS can be controlled by a number of different settings. See TLS resources.
Wikipedia article on TLS