| Author |
Message
|
| RogerLacroix |
 Posted: Fri Jun 26, 2015 10:52 am Post subject: Java SSL headache |
 |
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
All,
Note: I'm not an SSL guru - I can barely spell it. 
With the security issues (i.e. POODLE) and IBM disabling older SSL Cipher/Spec/Suite, it is difficult to get a Java application to work with a non-IBM JRE.
http://www-01.ibm.com/support/docview.wss?uid=swg21688165
http://www-01.ibm.com/support/docview.wss?uid=swg1IV66840
And then add the discrepancy between MQ Knowledge and IV66840, I'm pulling my hair out.
IV66840 says:
| Quote: |
The following WebSphere MQ CipherSuite to CipherSpec mappings have been enabled for WebSphere MQ v8:
CipherSuite -->
CipherSpec
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA -->
ECDHE_ECDSA_3DES_EDE_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -->
ECDHE_ECDSA_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -->
ECDHE_ECDSA_AES_128_GCM_SHA256
etc... |
But the MQ v8.0 Knowledge Center (http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113210_.htm), it says:
| Code: |
CipherSpec Equivalent CipherSuite
---------- ----------------------
ECDHE_ECDSA_3DES_EDE_CBC_SHA256 SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
ECDHE_ECDSA_AES_128_CBC_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
ECDHE_ECDSA_AES_128_GCM_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
etc... |
In case you missed it (both are referencing MQ V8.0), one says the CipherSuite should begin with TLS_* and the other one says it should begin with SSL_* for the SAME CipherSpec. Which one is correct?
Help.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Fri Jun 26, 2015 11:15 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
It all depends on whether this is an IBM JVM or not.
Rule of thumb:
- IBM JVM
- TLS cipher suite might not exist
- use SSL cipher suite with FIPS=true
- check out other documentation to confirm
- NON IBM JVM
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Jun 26, 2015 11:28 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| fjb_saper wrote: |
| It all depends on whether this is an IBM JVM or not. |
I did say:
| RogerLacroix wrote: |
| it is difficult to get a Java application to work with a non-IBM JRE. |
| fjb_saper wrote: |
Rule of thumb:
- IBM JVM
- TLS cipher suite might not exist
- use SSL cipher suite with FIPS=true
- check out other documentation to confirm
- NON IBM JVM
|
That almost makes sense. So, the MQ Knowledge Center's list of CipherSpec & CipherSuite are ONLY referencing an IBM JRE.
Whereas APAR IV66840 is referencing non-IBM JRE.
OMG. That is stupid but it does appear to make some sense.
Thank (whatever deity you want), that it is Friday and the NHL hockey draft is on in a couple of hours because I need a beer!!!
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| Gaya3 |
| Posted: Fri Jun 26, 2015 11:32 am Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
this is a big change, even i am also working on this... 
good time
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jun 26, 2015 11:41 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| RogerLacroix wrote: |
it is difficult to get a Java application to work with a non-IBM JRE. |
More so then you know. Early 7.5 JMS needed APARS to get any SSL to work with a non IBM JVM...
And standard Oracle JVM is not FIPS certified. You could get the nss package but then it's just another point of failure... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Jun 30, 2015 11:02 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
All,
Does anyone know if the CipherSpecs 'FIPS_WITH_3DES_EDE_CBC_SHA' and 'FIPS_WITH_DES_CBC_SHA' are supported for a non-IBM JRE?
The MQ Knowledge Center says:
| Code: |
JRE CipherSpec CipherSuite
--- ---------- -----------
IBM FIPS_WITH_3DES_EDE_CBC_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
IBM FIPS_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA |
But I cannot find any information about non-IBM JREs. I reviewed APAR IV66840 (http://www.ibm.com/support/docview.wss?uid=swg1IV66840) but it does not have anything about those 2 ciphers. Is the following table also true for non-IBM JREs?
| Code: |
JRE CipherSpec CipherSuite
--- ---------- -----------
non-IBM FIPS_WITH_3DES_EDE_CBC_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
non-IBM FIPS_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA
|
Any information would be great.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jun 30, 2015 11:21 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| fjb_saper wrote: |
| And standard Oracle JVM is not FIPS certified. |
|
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Jun 30, 2015 1:14 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| mqjeff wrote: |
| fjb_saper wrote: |
| And standard Oracle JVM is not FIPS certified. |
|
Yes, I realize that fjb_saper is an authority but I was looking for something more official.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jun 30, 2015 3:17 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| RogerLacroix wrote: |
All,
Does anyone know if the CipherSpecs 'FIPS_WITH_3DES_EDE_CBC_SHA' and 'FIPS_WITH_DES_CBC_SHA' are supported for a non-IBM JRE?
The MQ Knowledge Center says:
| Code: |
JRE CipherSpec CipherSuite
--- ---------- -----------
IBM FIPS_WITH_3DES_EDE_CBC_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
IBM FIPS_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA |
|
AFAIK if you look at the cipersuites there should be a little index ref that says that those ciphersuites are not FIPS compliant and have been kept for backwards compliance. IIRC they are nor FIPS nor TLS...
| RogerLacroix wrote: |
But I cannot find any information about non-IBM JREs. I reviewed APAR IV66840 (http://www.ibm.com/support/docview.wss?uid=swg1IV66840) but it does not have anything about those 2 ciphers. Is the following table also true for non-IBM JREs?
| Code: |
JRE CipherSpec CipherSuite
--- ---------- -----------
non-IBM FIPS_WITH_3DES_EDE_CBC_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
non-IBM FIPS_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA
|
Any information would be great.
Regards,
Roger Lacroix
Capitalware Inc. |
Forget anything with the name FIPS in it. It is not FIPS compliant and probably only SSLv3 and not TLS...
In fact if you look at TLS ciphers you'll find the odd one like SSL_RSA_WITH_3DES_CBC_SHA with FIPS set to true and a limit set to the data exchange before needing a new key. Apart from that your best chance is using the AES ciphersuites but they too will need the FIPS flag set... Outside of those you are looking at elliptic curve ciphers. Some of those will probably require a different private key (specially for elliptic curve ciphers). I believe there are only 2 elliptic curve ciphers with the standard RSA key...
Check out developerworks there was an article not so long ago about non IBM JVMs and the corresponding ciphersuites but it required some environment variable to be set...
And remember not to use DE or DHE ciphers... different vulnerability... and half of the elliptic curve ones are part of those...
As to Oracle and FIPS here is part of the official story:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/FIPS.html
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm
| Quote: |
Conclusion
When SunJSSE is configured in FIPS 140 compliant mode together with an appropriate FIPS 140 certified cryptographic provider, for example Network Security Services (NSS) in its FIPS mode, SunJSSE is FIPS 140 compliant. |
So first you have to integrate Sun JSSE with a certified FIPS crypto provider... good luck with that being an easy thing... Especially if you're already struggling with simple SSL...
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jul 01, 2015 4:27 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Your best bet these days is to have your MQ at the level of fixpack specified in http://www.ibm.com/support/docview.wss?uid=swg1IV66840 and use the JVM property and ciphersuite as specified in the note. Comming from Oracle it might be FIPS compliant even though it is not FIPS certified... and remember part of the compliance is to not authorize a non FIPS compliant connection from the same JVM...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Jul 03, 2015 3:26 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
|
| Back to top |
|
|
|
|
