| Author |
Message
|
| zpat |
 Posted: Mon Aug 06, 2018 12:18 pm Post subject: Use of RFHUTILC (IH03) with TLS 1.2 cipher on channel |
 |
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Question on support pac IH03 – RFHUTILC version 7.5, when connecting via MQ client 7.1.0.7 to a remote QM (in this case z/OS MQ 7.1) over a SVRCONN channel.
Is it possible to use this TLS 1.2 cipher on the server connection channel with this program?
TLS_RSA_WITH_AES_256_CBC_SHA256 ?
This value doesn’t appear in the cipher list when I press “set conn id”….
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Mon Aug 06, 2018 10:58 pm Post subject: Re: Use of RFHUTILC (IH03) with TLS 1.2 cipher on channel |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| zpat wrote: |
Question on support pac IH03 – RFHUTILC version 7.5, when connecting via MQ client 7.1.0.7 to a remote QM (in this case z/OS MQ 7.1) over a SVRCONN channel.
Is it possible to use this TLS 1.2 cipher on the server connection channel with this program?
TLS_RSA_WITH_AES_256_CBC_SHA256 ?
This value doesn’t appear in the cipher list when I press “set conn id”…. |
A lot has changed in SSL since version 7.5... get the latest version of RFHUtilc and try again...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Aug 06, 2018 11:45 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
What is the latest IH03 and where is it found now?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Aug 07, 2018 1:02 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| zpat wrote: |
| What is the latest IH03 and where is it found now? |
It shows as WITHDRAWN with only a link to the pdf guide, for me at least. What about using a CCDT?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| markt |
| Posted: Tue Aug 07, 2018 3:46 am Post subject: |
|
|
Knight
Joined: 14 May 2002
Posts: 508
|
1. Older programs often provided two versions - one linked with libmqic, one with libmqm. The libmqm-bound programs can these days usually be forced to use client connectivity by setting MQ_CONNECT_TYPE=CLIENT in the environment.
2. rfhutilc does a bunch of CCDT or other client definition parsing that is not done by the libmqm rfhutil. Using rfhutilc's GUI connection panels you can't set cipherspecs that it doesn't know about. But using environment variables you may be able to use rfhutil instead of rfhutilc and trick it into using the CCDT directly.
3. There's apparently a bug at the moment in the process that takes supportpac pages from the authoring system out to the public site ... it's losing the anchor text for the download, though you can still see the link if you look at the page's source (ctrl-U in firefox). That is being investigated by the owners of that tool.
4. V7.5.0 is the last version of rfhutil that got released through the SupportPac process. Although there have been newer levels knocking around, they were never submitted for formal release.
5. Because we have no way to update the SupportPac further (the author was not in MQ development), it's been put on the withdrawn list. No plans to block it from download entirely for the moment, but it makes it clearer that it does what it does, and don't expect any more. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Aug 07, 2018 10:52 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
|
| Back to top |
|
|
| zpat |
| Posted: Wed Aug 08, 2018 11:41 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Thanks for info.
Presumably the source code for IH03 belongs to IBM and they could maintain it or open-source it if they chose.
It's a shame that support pacs have been allowed to wither - they have been some of the best aspects of using MQ.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Aug 09, 2018 8:08 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Works fine with a CCDT and setting MQSSKEYR environment variable.
Only downside is that we have far, far too many QMs for easy CCDT creation.... 
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| dallen |
| Posted: Tue Sep 18, 2018 3:44 pm Post subject: |
|
|
Newbie
Joined: 18 Sep 2018
Posts: 2
|
| We struggled with letting go of RFHUtil because it was so useful to admins and developers but we are starting the process of deprecating TLS 1.0 (TLS_RSA_WITH_AES_128_CBC_SHA) in favor of TLS 1.2 (TLS_RSA_WITH_AES_128_CBC_SHA256) and RFHUtil did not support TLS 1.2. I came across this message and saw that others have the same issue. As I was watching college football (Go Vols!) this week I thought to myself I wonder if hex editing the RFHUtilC.exe would work, thinking back to my shareware cracking days using SoftICE debugger, lol. So I loaded up the HEX editor plugin in Notepad++, I am sure any HEX editor will work, and started searching for the cipher names. I found them and the TLS_RSA_WITH_AES_128_CBC_SHA cipher actually had several null chars at the end of it and I replaced 3 of them with "256" and turned "TLS_RSA_WITH_AES_128_CBC_SHA" into "TLS_RSA_WITH_AES_128_CBC_SHA256" and holy hell IT WORKED! I am now able to connect to my MQ 8 channels with TLS 1.2 from RFHUtil. You should be able to change the same text to ""TLS_RSA_WITH_AES_256_CBC_SHA256" as well and it work just fine. This would not have worked if those null chars were not there and it increased the size of the exe because it would have thrown all of the offsets and addressing out of whack. The bad part is that pulldown menu that displays the ciphers was designed to short so you cant see the full text but if you highlight, copy it and paste it into and editor you can see the full string. You also are not able to edit the text in the pulldown, which would have been an easier solution for future ciphers. Give this a shot and let me know if it works for you. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Sep 19, 2018 3:16 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Bad idea to promote hacking of a non open source/public domain software tool. You do understand that IBM owns the rights to RFHUTIL.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| dallen |
| Posted: Wed Sep 19, 2018 3:23 pm Post subject: |
|
|
Newbie
Joined: 18 Sep 2018
Posts: 2
|
| As long as I don't publicly redistribute my modified copy or profit off it then I am not violating any laws and if IBM even cared about the product they would update it and continue to support it. If he doesn't want to try it that's his choice but it worked for me. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Sep 19, 2018 4:11 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| dallen wrote: |
| As long as I don't publicly redistribute my modified copy or profit off it then I am not violating any laws and if IBM even cared about the product they would update it and continue to support it. If he doesn't want to try it that's his choice but it worked for me. |
That falls under the 'Fake News' category. Any modification of the software, even for personal use is illegal.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| abhi_thri |
| Posted: Thu Sep 20, 2018 12:21 am Post subject: |
|
|
Knight
Joined: 17 Jul 2017
Posts: 516
Location: UK
|
Hi All...just to add to the discussion. The client where I work did get the IBM contact to send us a new version of IH03 when we faced the same issue of TLSv1.2 ciphers, I believe they simply added the new set of ciphers shipped with the new MQ version to it.
Version we currently use is - V8.0.0 Build 224
We did request IBM to release this version publicly before it got formally withdrawn. I guess if you ask the authors nicely you may still be able to get hold of v8 version. |
|
| Back to top |
|
|
| mk621 |
| Posted: Sat Oct 27, 2018 4:20 am Post subject: |
|
|
Novice
Joined: 15 Oct 2012
Posts: 15
|
| abhi_thri wrote: |
Hi All...just to add to the discussion. The client where I work did get the IBM contact to send us a new version of IH03 when we faced the same issue of TLSv1.2 ciphers, I believe they simply added the new set of ciphers shipped with the new MQ version to it.
Version we currently use is - V8.0.0 Build 224
We did request IBM to release this version publicly before it got formally withdrawn. I guess if you ask the authors nicely you may still be able to get hold of v8 version. |
Hi Abhi, can you pls send me that new version of rfhutil on this email rohsh5000@gmail.com
and can you also tell me who to contact IBM for official version
Thanks for your help.
appreciate. |
|
| Back to top |
|
|
| zpat |
| Posted: Sat Oct 27, 2018 7:56 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Just to be clear, using a CCDT you do not need an updated version to use TLS 1.2 (or any cipher).
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
|
|
