Enabling New SSLEncryptionStrength Setting
To enable the SSLEncryptionStrength setting in EXTRA! 9 SP2 or higher, follow these steps:
- Open the session profile (EDP file) for a session whose encryption strength you want to restrict. Session files are normally stored in the userâs Documents folder under Attachmate\EXTRA!\Sessions.
- In the EDP file, add a new setting to the [Connection] section called SSLEncryptionStrength. Valid values are currently 40, 56, 128, 168 and 256.
For example, setting SSLEncryptionStrength=128 results in EXTRA! offering cipher suites that use only 128-bit keys for data encryption during the SSL handshake. If the SSL server supports any of these cipher suites, it chooses the one that provides what it considers to be the greatest level of security at an encryption strength of 128 bits. This cipher suite is then used for the duration of the SSL session.
Omitting this setting from the EDP file or giving it an invalid value results in EXTRA!'s default behavior: offering all valid cipher suites for the selected operating mode (SSL/TLS or FIPS).
Note: This setting is ignored by the other two SSL engines: Microsoft Secure Channel (offered only with IBM Mainframes) and EXTRA!'s legacy SSL (SSL V3.0).
By default, Attachmate Security connects to the highest level of security that both EXTRA! and the SSL server support. Use this SSLEncryptionStrength setting only when you want to insure the level selected or want a level lower than that supported. We recommend against using this new setting without fully understanding the consequences.
Setting SSLEncryptionStrength=40 might result in a successful connection to a host system using an encryption strength that is unacceptable for sensitive data transfers.
Alternately, your system may support a 256 encryption strength, but your hardware supports only 168 so that you have to lower the level to allow a connection to be successful.
For information about EXTRA! 9 SP2, see Technical Note 2257.