About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
This is something we will consider implementing as part of a broader update around JSSE capabilities in a future version of MQ.
IBM probably has this on their radar, but please also use the IETF naming standards for the TLS 1.3 CipherSuites for IBM MQ.
TLS 1.3 RFC -> https://tools.ietf.org/html/rfc8446
+------------------------------+-------------+
| Description | Value |
+------------------------------+-------------+
| TLS_AES_128_GCM_SHA256 | {0x13,0x01} |
| TLS_AES_256_GCM_SHA384 | {0x13,0x02} |
| TLS_CHACHA20_POLY1305_SHA256 | {0x13,0x03} |
| TLS_AES_128_CCM_SHA256 | {0x13,0x04} |
| TLS_AES_128_CCM_8_SHA256 | {0x13,0x05} |
+------------------------------+-------------+
This will help prevent the issue we have at TLS 1.2 with the CipherSuite naming issue between IBM and the IETF CipherSuite names. Hopefully, the IBM JSSE is doing this, as well.
After doing more research into the IETF TLS specifications, I have found that it looks like the Oracle JSSE did follow the IETF CipherSuite naming standards, and IBM did not for either the IBM JSSE or IBM MQ queue manager TLS implementations. If this true, I feel the places even more onus on IBM to fix this in a way that is seamless to the customer. The IETF CipherSuite naming standards should be followed by a TLS implementer, in my opinion.
If both IBM/Oracle (and others) all followed the same naming standard for TLS Ciphers/Cipher Specs there would not be any need for a TLS Cipher mapper function in the first place..... Would make life so much easier for all.....
Another possible solution is to just have MQ inquire which ciphers are available rather than worry about the specific provider.
The program at the URL below outputs all available cipher suites for the java it is executed from and puts a * in the first column if they are a default cipher. I tried this with Oracle Java 1.6 and 1.8 and IBM Java 1.6 and 1.7 and they all produced output:
https://confluence.atlassian.com/stashkb/files/679609085/679772359/1/1414093373406/Ciphers.java
With Oracle 1.8 I see this:
java Ciphers|egrep '^\*'
* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SH
* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
* SSL_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV
* TLS_RSA_WITH_AES_128_CBC_SHA
* TLS_RSA_WITH_AES_128_CBC_SHA256
* TLS_RSA_WITH_AES_128_GCM_SHA256
With IBMs jre included in MQ v8.0.0.10 I see this:
$ /opt/mqm/java/jre64/jre/bin/java Ciphers|egrep '^\*'
* SSL_DHE_DSS_WITH_AES_128_CBC_SHA
* SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
* SSL_DHE_DSS_WITH_AES_256_CBC_SHA
* SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
* SSL_DHE_RSA_WITH_AES_128_CBC_SHA
* SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
* SSL_DHE_RSA_WITH_AES_256_CBC_SHA
* SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
* SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
* SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
* SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
* SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
* SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
* SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
* SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA
* SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
* SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA
* SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
* SSL_ECDH_RSA_WITH_AES_128_CBC_SHA
* SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
* SSL_ECDH_RSA_WITH_AES_256_CBC_SHA
* SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384
* SSL_RSA_WITH_AES_128_CBC_SHA
* SSL_RSA_WITH_AES_128_CBC_SHA256
* SSL_RSA_WITH_AES_256_CBC_SHA
* SSL_RSA_WITH_AES_256_CBC_SHA256
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV