CipherSpec mismatches
Both ends of an IBM MQ TLS channel must use the same CipherSpec. Mismatches can be detected during the TLS handshake or during channel startup.
A CipherSpec identifies the combination of the encryption algorithm and hash function. Both ends of an IBM MQ TLS channel must use the same CipherSpec, although they can specify that CipherSpec in a different manner. Mismatches can be detected at two stages:
- During the TLS handshake
- The TLS handshake fails when the CipherSpec specified by the TLS client is unacceptable to the TLS support at the TLS server end of the connection. A CipherSpec failure during the TLS handshake arises when the TLS client proposes a CipherSpec that is not supported by the TLS provision on the TLS server. For example, when a TLS client running on AIX proposes the DES_SHA_EXPORT1024 CipherSpec to a TLS server running on IBM i.
- During channel startup
- Channel startup fails when there is a mismatch between the CipherSpec defined for the responding end of the channel and the CipherSpec defined for the calling end of channel. Channel startup also fails when only one end of the channel defines a CipherSpec.
See Specifying CipherSpecs for more information.
Note: If Global Server Certificates are used, a mismatch can be detected during channel startup even if the CipherSpecs specified on both channel definitions match.Global Server Certificates are a special type of certificate which require that a minimum level of encryption is established on all the communications links with which they are used. If the CipherSpec requested by the IBM MQ channel configuration does not meet this requirement, the CipherSpec is renegotiated during the TLS handshake. This is detected as a failure during IBM MQ channel startup as the CipherSpec no longer matches the one specified on the channel.
In this case, change the CipherSpec at both sides of the channel to one which meets the requirements of the Global Server Certificate. To establish whether a certificate that has been issued to you is a Global Server Certificate, contact the certificate authority which issued that certificate.
TLS servers do not detect mismatches when an TLS client channel on UNIX, Linux or Windows systems specifies the DES_SHA_EXPORT1024 CipherSpec, and the corresponding TLS server channel on UNIX, Linux or Windows systems is using the DES_SHA_EXPORT CipherSpec. In this case, the channel runs normally.