Home

 

Renegotiating the secret key

During an SSL handshake a 'secret key' is generated to encrypt data between the SSL client and SSL server. The key can be renegotiated periodically to minimize the amount of encrypted data that can be decrypted if the secret key is discovered.

By default, clients do not renegotiate the SSL secret key. We can make a client renegotiate the key by using the KeyResetCount field in the MQSCO structure on an MQCONNX call or by using the environment variable MQSSLRESET. Both these variables can be set to an integer in the range 0 through 999 999 999, representing the number of unencrypted bytes sent and received within an SSL conversation before the SSL secret key is renegotiated. Specifying a value of 0 for MQSSLRESET or for KeyResetCount indicates that SSL secret keys are never renegotiated. For an MQCONNX call, if both MQSSLRESET and KeyResetCount are specified, the value of the latter is used.

If a value greater than zero is specified and channel heartbeats are enabled for the channel, the secret key is also renegotiated before message data is sent or received following a channel heartbeat.

The count of bytes until the next secret key renegotiation is reset after each successful renegotiation.

For full details of the MQCONNX function call and the MQSCO sctructure, see WebSphere MQ Application Programming Reference. For full details of MQSSLRESET, see MQSSLRESET.

 

Home