ISV Ecosystem - Group home

Connect:Direct for z/OS added support for latest Transport Layer Security version 1.3 (TLSv1.3) introduced in IBM z/OS Ver 2.4.

By Ed Peters posted Wed June 23, 2021 03:38 PM


Connect:Direct for z/OS added support for TLSv1.3 introduced in IBM z/OS 2.4.

Secure data transfer support using Transport Layer Security version 1.3 (TLSv1.3)
Security in IBM z/OS version 2.4 has been enhanced by using the latest industry standard of Transport Layer Security version 1.3 (TLSv1.3) protocol.  The TLS Version 1.3 protocol is a major revision to the TLS protocol that is intended to provide better security and improve handshake performance. 

TLSv1.3 with Connect:Direct for z/OS provides certain added points in overall security of our product, below are some highlights:

  1. Speed Benefits:

TLSv1.3 is much faster than its predecessor because the time taken for a handshake is reduced. In TLSv1.3, it takes one round-trip from both sides to complete a handshake. TLSv1.3 reduced the number of round trips compared to TLSv1.2 and thereby reduced the number of negotiations from 4 to 2.

TLSv1.2 vs. TLSv1.3

The shorter TLS handshake has made the connection between different Connect:Direct nodes much faster, with less latency, which improves the enterprise network performance.
‘Zero Round Trip Time Resumption’ (0-RTT) will make TLSv1.3 faster as it allows for near-instantaneous session resumption (restart) to Connect:Direct nodes. TLSv1.3, uses a pre-shared key to resume a connection, hence making checkpointing and restart connection between two Connect:Direct nodes nearly instantaneous.


  1. Cipher specifications simplified:
As already stated above, half of the negotiation time has been eliminated for much faster handshake, which has resulted in a decrease in the size of the cipher too.

TLS 1.2 and its predecessors use Cipher Suites that include 4 ciphers. Here’s an example (ECDHE, ECDSA, AES_128_GCM & SHA256): 

In TLS 1.3, cipher suites no longer include the key exchange and signature algorithms. Now it’s just the bulk cipher and the hashing algorithm (AES_256_GCM & SHA384).

The biggest drawback in TLSv1.2 is multiple cipher combinations make it difficult for the parties negotiating during the handshake, as TLSv1.2 provides little guidance in choosing a cipher suite for the best security.

The cipher suites that are valid for TLSv1.2 and earlier protocols are not supported for TLSv1.3.

Connect:Direct for z/OS supports the following TLSv1.3 cipher suites:

    • TLS_AES_128_GCM_SHA256 (1301)
    • TLS_AES_256_GCM_SHA384 (1302)

  1. Security Improvement:
TLSv1.3 obsoletes all the prior TLS features which were vulnerable to attacks, such as SHA-1, RC4, DES, 3DES, AES-CBC, MD5. Security administrators and developers may find TLSv1.3 is the preferred protocol.
Stroll through the following links for more details on TLSv1.3 introduced in z/OS 2.4, and how Altran is benefiting from it in Connect:Direct for z/OS.

Have a nice TLS connection today!!!