x3270 x3270

x3270 and SSL

x3270 support secures communication via the Secure Sockets Layer (SSL). (The text below refers to x3270, but the descriptions actually apply to all of the members of the suite.)

x3270 SSL support uses the OpenSSL library. Much of the information below is common to many OpenSSL clients and more extensive documentation is available on the Web.

A secure connection can be negotiated immediately by specifying the L: prefix on the hostname (e.g., L:foo.whatever.net), or can be negotiated later via the TELNET STARTTLS option (which is initiated by the host after the connection has been established).

A Note on PEM Format

PEM (Privacy Enhanced Mail) is a text file format used for SSL certificates and private keys. It is easily recognized by headers like the following:


A certificate is the text between (and including) the BEGIN CERTIFICATE and END CERTIFICATE headers. A private key is the text between (and including) the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY headers. A PEM-format file can contain multiple certificates and keys.

Options and Resources

SSL is controlled by a number of different command-line options and resources.

Specifying the Server's Root Certificate

If your host's certificate was not signed by a well-known certificate authority (CA), you can configure x3270 to accept it by specifying an alternate set of root certificate(s).

The -cafile option (or the caFile resource) can be used to specify a file containing one or more server root certificates. This file must be in PEM format.

If there are a large number of certificates, the -cadir option (or the caDir resource) can be used to specify a directory containing root certificates. This directory contains files that use the naming convention of hash.seq, where hash is the hash of the certificate value and seq is a sequence number (since multiple certificates could have the same hash) starting with 0.

If your host uses a self-signed certificate, x3270 will not normally allow SSL authentication with it. To allow authentication with self-signed certificates, set the selfSignedOk resource to true.

Updating the Root Certificate Database

To avoid having to specify a root certificate for each invocation of x3270, one or more certificates can be added to the OpenSSL root certificate database. On Linux and Unix, this procedure is (unfortunately) an operating-system- and release- specific procedure. However, the OpenSSL root certificate database is common to all OpenSSL applications on your workstation, so instructions on updating it should be easily found on the web.

On Windows, the root certificate database used by wc3270, ws3270 and wpr3287 is installed as part of the setup procedure and updating it is documented below.

The root certificate database is a PEM-format text file called root-certs.txt. The file is located in the wc3270 installation directory (usually C:\Program Files\wc3270, but it can vary with with Windows installations and languages). You can add your root certificate (which must be in PEM format) to this file with a text editor such as Notepad.

Specifying a Certificate for the Client (the Emulator)

If you have been issued a certificate and a private key to allow your client (the emulator) to be authenticated by your host, there are several options that allow this to be specified to x3270.

The -certfile option (or the certFile resource) defines a file containing the client certificate. By default, this file is in PEM format, but it can also be in ASN1 format, which is specified by setting the -certfiletype option (or the certFileType resource) to the value asn1.

The -chainfile option (or the chainFile resource) defines a PEM-format file containing both the client certificate and any intermediate certificates that were used to sign it. If a chain file is specified, it is used instead of the certificate file.

Specifying the Private Key for the Client Certificate

The file containing the private key for the client certificate can be specified by the -keyfile option or the keyFile resource. This file is in PEM format by default, but can be in ASN1 format, by specifying the -keyfiletype option or the keyFileType resource with the value asn1.

If no explicit key file is specified, the default is to find the private key in the chain file or the client certificate file (whichever was specified).

If the private key is encrypted, then a password must be specified. The password is given with the -keypasswd option or the keyPasswd resource. The password can have one of two formats. The format file:filename specifies a file containing the password. The format string:string specifies the password as a string in the option or resource directly.

Controlling Host Certificate Verification

By default, host SSL certificates are not verified. To enable host certificate verification, set the verifyHostCert resource to true or specify the -verifycert option.

When host certificates are verified, self-signed certificates are not allowed. To allow self-signed host certificates, set the selfSignedOk resource to true or specify the -selfsignedok option.

Also, when host certificates are verified, the name in the host's SSL certificate is checked. This check can be controlled by the acceptHostname resource or the -accepthostname option. The value can be any, which disables hostname checking, DNS:hostname, which matches a specific symbolic hostname, or IP:address, which matches a particular IPv4 or IPv6 numeric address.

Windows and the OpenSSL DLLs

wc3270, ws3270 and wpr3287 will not allow secure connections without the OpenSSL DLLs installed on your workstation. These DLLs are not part of the wc3270 installation -- installing them is a completely separate process.

The Windows OpenSSL DLLs for wc3270 are available here:


The specific files to download are:

   https://slproweb.com/download/Win32OpenSSL_Light-1_1_0d.exe (for 32-bit Windows)
   https://slproweb.com/download/Win64OpenSSL_Light-1_1_0d.exe (for 64-bit Windows)