Discussion:
SSL vs TLS cipherspec on channels
Umapathy Subburam
2014-09-24 15:20:43 UTC
Permalink
Hi,

I have a JMS application that currently uses SSL_RSA_WITH_DES_CBC_SHA ciphersuite to connect to a queue manager. The SVRCONN channel has DES_SHA_EXPORT as the cipher. This works fine.

With DES_SHA_EXPORT is no more supported on MQ 8, I am trying whether I can use the same ciphersuite but switch to a different cipherspec. Setting SVRCONN channel cipherspec to TLS_RSA_WITH_DES_CBC_SHA doesn't work.
The qmgr is running 7.0.1.11

Qmgr reports
AMQ9631: The CipherSpec negotiated during the SSL handshake does not match the
required CipherSpec for channel 'S_ACPTTEST2'.

EXPLANATION:
There is a mismatch between the CipherSpecs on the local and remote ends of
channel 'S_ACPTTEST2'. The channel will not run until this mismatch is
resolved. The CipherSpec required in the local channel definition is
'TLS_RSA_WITH_DES_CBC_SHA'. The name of the CipherSpec negotiated during the
SSL handshake is 'DES_SHA_EXPORT'. A code is displayed if the name of the
negotiated CipherSpec cannot be determined.

So I suspect the SSL protocol is still in use. How and/or where can I set the protocol to TLS?
Sun JDK 7.65 is used. (I thought TLS is the default in Sun JDK)

JMS gets its connectionfactory et all configuration from a JNDI file based bindings file (generated through JMSAdmin). There, the ciphersuite is set to SSL_RSA_WITH_DES_CBC_SHA.
The keystore and certificates are self signed and generated through gsk7cmd.

TLS is supported for this ciphersuite in MQ 7. http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.0.1/com.ibm.mq.xms.doc/concepts/xms_csecure_mapping_wpm.html?lang=en

Thanks in advance for any help.

Umapathy

Java Developer / MQ Administrator


**********************************************************************

Satellite Information Services Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 4243307

The information in this email (which includes any files transmitted with it) is confidential and is intended for the addressee only. Unauthorized recipients are required to maintain confidentiality. If you have received this email in error please notify the sender immediately, destroy any copies and delete it from your computer system.

**********************************************************************

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
T.Rob
2014-09-24 16:08:37 UTC
Permalink
Hi Umpathy,



You may have noticed that web sites listen on port 80 for HTTP and port 443
for SSL. The reason for this is that SSL had no way to switch from
plaintext to encryption on the fly. If you contacted a listener that needed
SSL you had to do so with an SSL connection.



Note how this differs from WMQ which has *always* accepted both plaintext
and encrypted connections on the same port. Since this is not possible with
SSL, the implication is that WebSphere MQ has *always* used TLS. Of course,
the TLS handshake has allowed SSL ciphers all along so it isn't a question
of how to turn on TLS but rather a question of finding a cipher[spec|suite]
that is mutually supported on both the client and the server. It sounds
like you are connecting between v8.0 and v7.0.1.11. I'd recommend
consulting the v7.0 and the v8.0 Knowledge Centers to find a mutually
agreeable cipher.



V7.0:
http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.0.1/com.ibm.mq.csqzas
.doc/sy12870_.htm?lang=en



V8.0:
http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.do
c/q014260_copy.htm?lang=en



An easy way to narrow down the search is to look for TLS 1.0 entries since
at the time of v7.0 TLS 1.2 wasn't supported. The
TLS_RSA_WITH_3DES_EDE_CBC_SHA cipherspec is available at both versions.
Would that be acceptable? Note that the mapping of the Cipherspec to the
Ciphersuite is different between v7.0 and v8.0 as described here:

http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.0.1/com.ibm.mq.csqzaw
.doc/jm34740_.htm?lang=en

http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.do
c/q113220_.htm?lang=en



Despite the slight naming difference, it should work on Linux and Windows,
as well as other combinations if one end is v8.0.



Kind regards,

-- T.Rob



T.Robert Wyatt, Managing partner

IoPT Consulting, LLC

+1 704-443-TROB

https://ioptconsulting.com

https://twitter.com/tdotrob



From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of
Umapathy Subburam
Sent: Wednesday, September 24, 2014 11:21 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: SSL vs TLS cipherspec on channels



Hi,



I have a JMS application that currently uses SSL_RSA_WITH_DES_CBC_SHA
ciphersuite to connect to a queue manager. The SVRCONN channel has
DES_SHA_EXPORT as the cipher. This works fine.



With DES_SHA_EXPORT is no more supported on MQ 8, I am trying whether I can
use the same ciphersuite but switch to a different cipherspec. Setting
SVRCONN channel cipherspec to TLS_RSA_WITH_DES_CBC_SHA doesn't work.

The qmgr is running 7.0.1.11



Qmgr reports

AMQ9631: The CipherSpec negotiated during the SSL handshake does not match
the

required CipherSpec for channel 'S_ACPTTEST2'.



EXPLANATION:

There is a mismatch between the CipherSpecs on the local and remote ends of

channel 'S_ACPTTEST2'. The channel will not run until this mismatch is

resolved. The CipherSpec required in the local channel definition is

'TLS_RSA_WITH_DES_CBC_SHA'. The name of the CipherSpec negotiated during the

SSL handshake is 'DES_SHA_EXPORT'. A code is displayed if the name of the

negotiated CipherSpec cannot be determined.



So I suspect the SSL protocol is still in use. How and/or where can I set
the protocol to TLS?

Sun JDK 7.65 is used. (I thought TLS is the default in Sun JDK)



JMS gets its connectionfactory et all configuration from a JNDI file based
bindings file (generated through JMSAdmin). There, the ciphersuite is set
to SSL_RSA_WITH_DES_CBC_SHA.

The keystore and certificates are self signed and generated through gsk7cmd.



TLS is supported for this ciphersuite in MQ 7.
http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.0.1/com.ibm.mq.xms.do
c/concepts/xms_csecure_mapping_wpm.html?lang=en



Thanks in advance for any help.



Umapathy



Java Developer / MQ Administrator



_____

Satellite Information Services Limited. Registered Office: Whitehall Avenue,
Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 4243307

The information in this email (which includes any files transmitted with it)
is confidential and is intended for the addressee only. Unauthorized
recipients are required to maintain confidentiality. If you have received
this email in error please notify the sender immediately, destroy any copies
and delete it from your computer system.

_____





_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> -
Manage Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%
20mqseries>

Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>


To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Umapathy Subburam
2014-09-24 21:06:54 UTC
Permalink
Thanks T.Rob.

I have always thought that TLS was the default on the listener as it can fall back for SSL connections. Thanks for explaining.
Indeed I have mixed it up. Both the client and server were on v7 and I tried a v7.5 client too. Shuffling through different knowledge centres was tiring at best :)

The link I quoted for v7 indeed has different cipher suites for the cipherspecs I was trying. I didn't notice. Thanks for taking the pain to clear it.
SSL_RSA_WITH_DES_CBC_SHA

DES_SHA_EXPORT

TLS_RSA_WITH_DES_CBC_SHA

TLS_RSA_WITH_DES_CBC_SHA


I will wait for a machine where I can install v8 and try.
Thank you.

Umapathy Subburam
Java Developer/MQ Administrator

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of T.Rob
Sent: 24 September 2014 17:09
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: SSL vs TLS cipherspec on channels

Hi Umpathy,

You may have noticed that web sites listen on port 80 for HTTP and port 443 for SSL. The reason for this is that SSL had no way to switch from plaintext to encryption on the fly. If you contacted a listener that needed SSL you had to do so with an SSL connection.

Note how this differs from WMQ which has *always* accepted both plaintext and encrypted connections on the same port. Since this is not possible with SSL, the implication is that WebSphere MQ has *always* used TLS. Of course, the TLS handshake has allowed SSL ciphers all along so it isn't a question of how to turn on TLS but rather a question of finding a cipher[spec|suite] that is mutually supported on both the client and the server. It sounds like you are connecting between v8.0 and v7.0.1.11. I'd recommend consulting the v7.0 and the v8.0 Knowledge Centers to find a mutually agreeable cipher.

V7.0: http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.0.1/com.ibm.mq.csqzas.doc/sy12870_.htm?lang=en

V8.0: http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q014260_copy.htm?lang=en

An easy way to narrow down the search is to look for TLS 1.0 entries since at the time of v7.0 TLS 1.2 wasn't supported. The TLS_RSA_WITH_3DES_EDE_CBC_SHA cipherspec is available at both versions. Would that be acceptable? Note that the mapping of the Cipherspec to the Ciphersuite is different between v7.0 and v8.0 as described here:
http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.0.1/com.ibm.mq.csqzaw.doc/jm34740_.htm?lang=en
http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm?lang=en

Despite the slight naming difference, it should work on Linux and Windows, as well as other combinations if one end is v8.0.

Kind regards,
-- T.Rob

T.Robert Wyatt, Managing partner
IoPT Consulting, LLC
+1 704-443-TROB
https://ioptconsulting.com
https://twitter.com/tdotrob

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org]<mailto:[mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org]> On Behalf Of Umapathy Subburam
Sent: Wednesday, September 24, 2014 11:21 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org<mailto:MQSERIES-0lvw86wZMd9k/***@public.gmane.orgAC.AT>
Subject: SSL vs TLS cipherspec on channels

Hi,

I have a JMS application that currently uses SSL_RSA_WITH_DES_CBC_SHA ciphersuite to connect to a queue manager. The SVRCONN channel has DES_SHA_EXPORT as the cipher. This works fine.

With DES_SHA_EXPORT is no more supported on MQ 8, I am trying whether I can use the same ciphersuite but switch to a different cipherspec. Setting SVRCONN channel cipherspec to TLS_RSA_WITH_DES_CBC_SHA doesn't work.
The qmgr is running 7.0.1.11

Qmgr reports
AMQ9631: The CipherSpec negotiated during the SSL handshake does not match the
required CipherSpec for channel 'S_ACPTTEST2'.

EXPLANATION:
There is a mismatch between the CipherSpecs on the local and remote ends of
channel 'S_ACPTTEST2'. The channel will not run until this mismatch is
resolved. The CipherSpec required in the local channel definition is
'TLS_RSA_WITH_DES_CBC_SHA'. The name of the CipherSpec negotiated during the
SSL handshake is 'DES_SHA_EXPORT'. A code is displayed if the name of the
negotiated CipherSpec cannot be determined.

So I suspect the SSL protocol is still in use. How and/or where can I set the protocol to TLS?
Sun JDK 7.65 is used. (I thought TLS is the default in Sun JDK)

JMS gets its connectionfactory et all configuration from a JNDI file based bindings file (generated through JMSAdmin). There, the ciphersuite is set to SSL_RSA_WITH_DES_CBC_SHA.
The keystore and certificates are self signed and generated through gsk7cmd.

TLS is supported for this ciphersuite in MQ 7. http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.0.1/com.ibm.mq.xms.doc/concepts/xms_csecure_mapping_wpm.html?lang=en

Thanks in advance for any help.

Umapathy

Java Developer / MQ Administrator

________________________________

Satellite Information Services Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 4243307

The information in this email (which includes any files transmitted with it) is confidential and is intended for the addressee only. Unauthorized recipients are required to maintain confidentiality. If you have received this email in error please notify the sender immediately, destroy any copies and delete it from your computer system.

________________________________


________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>


**********************************************************************

Satellite Information Services Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 4243307

The information in this email (which includes any files transmitted with it) is confidential and is intended for the addressee only. Unauthorized recipients are required to maintain confidentiality. If you have received this email in error please notify the sender immediately, destroy any copies and delete it from your computer system.

**********************************************************************

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

Loading...