MQ Security: Understanding CipherSpec mismatches

Understanding CipherSpec mismatches

A CipherSpec identifies the combination of the encryption algorithm and hash function. Both ends of a WebSphere MQ SSL channel must use the same CipherSpec, although they can specify that CipherSpec in a different manner. Mismatches can be detected at two stages:

During the SSL handshake

The SSL handshake fails when the CipherSpec specified by the SSL client is unacceptable to the SSL support at the SSL server end of the connection. A CipherSpec failure during the SSL handshake arises when the SSL client proposes a CipherSpec that is not supported by the SSL provision on the SSL server. For example:

When an SSL client running on AIX proposes the TLS_RSA_WITH_AES_128_CBC_SHA CipherSpec to an SSL server running on OS/390
When an SSL server running on Windows requires a security upgrade

The SSL handshake fails when an SSL client running on Windows specifies a CipherSpec for which that client requires a security upgrade. This failure occurs if a WebSphere MQ CipherSpec requires 128 or more encryption bits.
If you require a CipherSpec that uses 128 or more encryption bits, and the Windows system does not support that cipher strength, download the appropriate upgrade from Microsoft. For Windows 2000, the security upgrade package is the Windows 2000 High Encryption Pack. For Windows NT, upgrade to Internet Explorer Version 6, or Version 5.5 with Service Pack 2. Windows XP is supplied with high encryption support.

During channel startup

Channel startup fails when there is a mismatch between the CipherSpec defined for the responding end of the channel and the CipherSpec defined for the calling end of channel. Channel startup also fails when only one end of the channel defines a CipherSpec.
Refer to Specifying CipherSpecs for more information.

Note:

SSL servers do not detect mismatches in the following circumstances:

When an SSL client channel on UNIX specifies the DES_SHA_EXPORT1024 CipherSpec and the corresponding SSL server channel on UNIX is using the DES_SHA_EXPORT CipherSpec
When an SSL client channel on UNIX specifies the DES_SHA_EXPORT1024 CipherSpec and the corresponding SSL server channel on Windows is using the DES_SHA_EXPORT CipherSpec
When an SSL client channel on Windows specifies the DES_SHA_EXPORT CipherSpec and the corresponding SSL server channel on UNIX is using the DES_SHA_EXPORT1024 CipherSpec

WebSphere MQ does not detect these mismatches for one or both of the following reasons:

WebSphere MQ cannot change the handshake key size at channel start on Windows systems, so WebSphere MQ for Windows does not support the DES_SHA_EXPORT1024 CipherSpec. The operating system SSL support might set the handshake key size to 1024 bits based, for example, on information held in the certificates.
On all platforms, the SSL support cannot detect which platform is at the other end of the SSL channel.

In these circumstances, the channel runs normally.

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.

AIX is a trademark of the IBM Corporation in the United States, other countries, or both.