The Transport Layer Security (TLS) 1.0 protocol is a standard security
protocol, that provides secure communication over the Internet.
CICS supports two security protocols that can
be used to provide secure communication over the Internet. The first is the
Secure Sockets Layer (SSL) 3.0 protocol. The second is the Transport Layer
Security (TLS) 1.0 protocol, which is the latest industry standard SSL protocol
and is based on SSL 3.0. The TLS 1.0 specification is documented in RFC2246
and is available on the Internet at www.rfc-editor.org/rfcsearch.html. Any connections
that require encryption will automatically use the TLS protocol, unless the
client specifically requires SSL 3.0. 

The primary aim of TLS is to make the Secure Sockets
Layer more secure and to make the specification of the protocol more precise
and complete. TLS provides the following enhancements over SSL 3.0:
- Key-Hashing for Message Authentication
- TLS uses Key-Hashing for Message Authentication Code (HMAC), which ensures
that a record cannot be altered while travelling over an open network such
as the Internet. SSL Version 3.0 also provides keyed message authentication,
but HMAC is considered more secure than the (Message Authentication Code)
MAC function that SSL Version 3.0 uses.
- Enhanced Pseudorandom Function (PRF)
- PRF is used for generating key data. In TLS, the PRF is defined with the
HMAC. The PRF uses two hash algorithms in a way that guarantees its security.
If either algorithm is exposed then the data remains secure as long as the
second algorithm is not exposed.
- Improved finished message verification
- Both TLS 1.0 and SSL 3.0 provide a finished message to both endpoints
that authenticates that the exchanged messages were not altered. However,
TLS bases this finished message on the PRF and HMAC values, which is more
secure than SSL Version 3.0.
- Consistent certificate handling
- Unlike SSL 3.0, TLS attempts specify the type of certificate which must
be exchanged between TLS implementations.
- Specific alert messages
- TLS provides more specific and additional alerts to indicate problems
that either session endpoint detects. TLS also documents when certain alerts
should be sent.
