TLS support for the managed .NET client

The managed .NET client uses the Microsoft.NET Framework libraries to implement TLS secure socket protocols. The Microsoft System.Net.SecuritySslStream class operates as a stream over connected TCP sockets and sends and receives data over that socket connection.

The minimum required .NET Framework level is .NET Framework v3.5. The level of Cipher Algorithm support is based on the .NET Framework level that the application is using.

  • For applications that are based on .NET Framework level 3.5 and v4.0, the available secure socket protocols are SSLv3.0 and TSL v1.0.
  • For applications that are based on .NET Framework level4.5, the available secure socket protocols are SSLv3.0, TLS v1.1 and TLSv1.2.
You might need to move applications that expect higher TLS protocol support to a later version of the framework as defined for Microsoft Security support in the .NET Framework.

The main features of TLS support for the managed .NET client are as follows:

    TLS protocol support
    TLS support for the .NET managed client is defined through the .NET SSLStream class, and depends on the .NET Framework that the application is using. For more information see TLS protocol support for the managed .NET client.

    CipherSpec support
    The TLS settings for the .NET managed client are as for the Microsoft.NET TLS steams. For more information see CipherSpec support for the managed .NET client and CipherSpec mappings for the managed .NET client.

    Key repositories
    The key repository on the client side is a Windows keystore. The server side repository is a Cryptographic Message Syntax (CMS) type of repository. For more information see Key repositories for the managed .NET client.

    Certificates
    We can use self-signed TLS certificates to implement mutual authentication between a client and a queue manager. For more information see Use certificates for the managed .NET client.

    SSLPEERNAME
    In .NET, applications can use the optional SSLPEERNAME attribute to specify a Distinguished Name (DN) pattern. For more information see SSLPEERNAME.

    FIPS compliance
    Enabling FIPS programmatically is not supported by the Microsoft.NET Security library. FIPS enablement is controlled by the Windows Group Policy setting.

    NSA Suite B compliance
    IBM MQ implements RFC 6460. The Microsoft.NET implementation for NSA suite B is 5430. This is supported from .NET Framework 3.5 onwards.

    Secret key reset or renegotiation
    Although the SSLStream class does not support secret key resetting or renegotiation, for consistency with other IBM MQ clients, the .NET managed client allows applications to set SSLKeyResetCount. For more information see Secret key reset or renegotiation.

    Revocation check
    The SSLStream class supports certificate revocation checking, which is automatically done by the certificate chaining engine. For more information see Revocation check.

    IBM MQ security exit support
    The SSLStream class provides limited support for IBM MQ security exits. Querying local and remote certificates to get SSLPeerNamePtr(Subject DN) and SSLRemCertIssNamePtr (Issuer DN) is possible since this is supported in Microsoft.NET. However, there is no support for getting attributes like DNQ, UNSTRUCTUREDNAME and UNSTRUCTUREDADDRESS, so these values cannot be retrieved using the exits.

    Cryptographic hardware support
    Cryptographic hardware is not supported for the managed .NET client.