IBM WebSphere XS40 Command Reference Manual page 260

options options-mask
Guidelines
A Crypto Profile defines a level of SSL service. When you create an SSL Proxy
Profile with the sslproxy command, you assign a Crypto Profile to the SSL Proxy
Profile.
Before creating a Crypto Profile to use with an SSL server, use the certificate
command with the key and idcred commands to create an Identification
Credentials. This set of credentials consists of a certificate, which contains a public
key, and the corresponding private key.
A Crypto Profile optionally uses a Validation Credentials to validate certificates
that are received from remote SSL peers.
234
Command Reference
Optionally, each cipher keyword can be preceded by the following
characters:
! Permanently deletes the cipher from the list. Even if you explicitly
add the cipher to the list, it can never reappear in the list.
- Deletes the cipher from the list. You can add this cipher again.
+ Moves the cipher to the end of the list. The + character moves
existing ciphers, it does not add them.
If none of these characters is present, the string is interpreted as a list of
ciphers to be appended to the current list. If the list includes a cipher that
is already in the list, that cipher is ignored. That is, existing ciphers are not
moved to the end of the list.
Additionally, the cipher string can contain the @STRENGTH keyword at any
point to sort the cipher list in order of encryption algorithm key length.
Optionally enables various SSL options for the Crypto Profile. Use the
string or specify a hexadecimal representation of a 32-bit mask string that
identifies specific supported SSL options. Table 6 lists the available options.
Table 6. SSL options as string and hexadecimal representation
String value
OpenSSL-default
Disable-SSLv2
Disable-SSLv3
Disable-TLSv1
When using hexadecimal representation, use a logical OR to modify the
behavior during the SSL handshake. When using the string value, use a +
character to join values. For example, to disallow both SSL version 2 and
TLS version 1, enter one following values:
Hexadecimal
0x05000000
String Disable-SSLv2+DisableTLSv1
Hexadecimal
representation
0x000FFFFF
0x01000000
0x02000000
0x04000000
Description
Default value
Disallows the use of SSL
version 2
Disallows the use of SSL
version 3
Disallows the use of TLS
version 3