| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Why special CipherSuite and CipherSpec in MQ SSL |
« View previous topic :: View next topic » |
| Author |
Message
|
| Armageddon123 |
 Posted: Tue Apr 10, 2018 12:35 pm Post subject: Why special CipherSuite and CipherSpec in MQ SSL |
 |
|
Acolyte
Joined: 11 Feb 2014
Posts: 61
|
Hi Experts.
in most SSL setups, for example IIB, we create keystore, trustore, then associate it with broker , setup https port , done, done
For MQ only, apart from keystore and trustore setup, we have to mention the CipherSuite/CipherSpec on channel and also on the client Java code.
props.put(MQConstants.SSL_CIPHER_SUITE_PROPERTY, "SSL_RSA_WITH_AES_128_CBC_SHA");
Below link explains the issues with mismatches etc for the cipherspec/ciphersuite , but could not get why we need to really provide it at first place.
https://www.ibm.com/developerworks/community/blogs/messaging/entry/BiteSize_Blogging_MQ_Version_8_The_relationship_between_MQ_CipherSpecs_and_Java_Cipher_Suites?lang=en
Is this a special implementation for SSL/TLS for MQ which needs these ciphersuite or is it am missing some basics?!!!!
Thanks! |
|
| Back to top |
|
 |
| exerk |
| Posted: Wed Apr 11, 2018 1:32 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Browsers have an inbuilt list of Cipher Specs, and negotiate down that list until they find a mutually supported one, which can take some time - perhaps IIB uses the same principle? (CAVEAT: The limit of my knowledge with IIB is the ability to spell it!).
Imagine how much faster it would be if you didn't have to do that and used a specific Cipher Spec, or at least a limited list.
No doubt someone will be along that will put us both right soon...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Apr 11, 2018 10:15 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
I seem to recall this is changing in more recent MQ versions.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Apr 12, 2018 4:11 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| exerk wrote: |
| Browsers have an inbuilt list of Cipher Specs, and negotiate down that list until they find a mutually supported one ... |
This browser behavior is a well-documented security exposure, as the client end can specify the weakest spec, and the server end will reduce its spec to that level.
MQ allows one spec, the same spec, at both ends, the one explicitly defined in channel definitions - no negotiation.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Armageddon123 |
| Posted: Fri Apr 13, 2018 6:34 am Post subject: |
|
|
Acolyte
Joined: 11 Feb 2014
Posts: 61
|
| Thanks all for the reply. That is a new learning. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
