Transport Layer Security

Transport Layer Security (TLS) is a protocol for encrypting and authenticating computer communications. TLS is still often referred to by the name of its predecessor, the Secure Sockets Layer (SSL).

The x3270 family supports TLS for host sessions. It generally tries to use the most recent version of TLS supported by the workstation platform.

TLS Implementations

On POSIX-based platforms, the x3270 family uses the OpenSSL library.

On Microsoft Windows, the x3270 family uses the Schannel facility.

Protocol negotiation

x3270 can use TLS in one of two ways, either through an encrypted tunnel or via TELNET option negotiation.

An encrypted tunnel is signaled by the L: prefix on the host name (or by an explicit option in the user interface). As soon as the TCP session to the host is established, x3270 begins TLS negotiations, and the entire session is TLS-encrypted. New in 4.4 An encrypted tunnel will also be created if the port being connected to is 992 (the secure TELNET port, also known as telnets).

Without an encrypted tunnel, the emulator waits for the host to begin TELNET negotiation instead. One of the options the host can request is DO STARTTLS, which x3270 will accept with WILL STARTTLS. Once STARTTLS messages have been exchanged, TLS negotiation begins, and the remainder of the session is TLS-encrypted.

Some hosts require an encrypted tunnel, but others support either mode via a timeout. When a host supports either mode, it waits for the emulator to begin TLS negotiations. If no TLS negotiation comes within a few seconds, the host begins TELNET negotiation, and requests STARTTLS. Thus, if you know that your host is going to request an encrypted session anyway, it is faster to specify an encrypted tunnel.

Security indication

In x3270, c3270, wc3270 and wx3270, the TLS state of a session is indicated in the Operator Information Area.

In s3270, the TLS state can be found through the Tls query.


TLS can be controlled by a number of different settings. See TLS resources.

Each connection can also have its own TLS-related parameters. See TLS prefixes and accept name.

See also

Terminal emulation protocol stack

Wikipedia article on TLS [1]