| Author |
Message
|
| gavze007 |
 Posted: Tue Oct 02, 2018 4:48 am Post subject: SHA384 Ciphers doesn't work |
 |
|
Novice
Joined: 28 Mar 2018
Posts: 19
|
Hi,
We're running MQ 8.0.0.5 on Windows.
Usually we connect to remote QMGRs using TLS_RSA_WITH_AES_256_CBC_SHA256 ciphers configured on the channels.
One of our clients asked us to move to TLS_RSA_WITH_AES_256_CBC_SHA384 cipher.
After doing the change at both ends, the channel doesn't start and is stuck on retrying state.
What can be the cause?
Thanks |
|
| Back to top |
|
 |
| exerk |
| Posted: Tue Oct 02, 2018 5:17 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
What do the error logs say? Look there first because you haven't posted enough information for anyone to give you specific help...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Oct 02, 2018 5:54 am Post subject: Re: SHA384 Ciphers doesn't work |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| gavze007 wrote: |
Hi,
We're running MQ 8.0.0.5 on Windows.
Usually we connect to remote QMGRs using TLS_RSA_WITH_AES_256_CBC_SHA256 ciphers configured on the channels.
One of our clients asked us to move to TLS_RSA_WITH_AES_256_CBC_SHA384 cipher.
After doing the change at both ends, the channel doesn't start and is stuck on retrying state.
What can be the cause?
Thanks |
Did you successfully REFRESH SECURITY TYPE(SSL) at both ends of the channel?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Oct 02, 2018 5:59 am Post subject: Re: SHA384 Ciphers doesn't work |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bruce2359 wrote: |
| Did you successfully REFRESH SECURITY TYPE(SSL) at both ends of the channel? |
Out of curiosity, why?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Oct 02, 2018 7:45 am Post subject: Re: SHA384 Ciphers doesn't work |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| exerk wrote: |
| bruce2359 wrote: |
| Did you successfully REFRESH SECURITY TYPE(SSL) at both ends of the channel? |
Out of curiosity, why? |
OP didn’t state what else might have changed - perhaps a new cert.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| gavze007 |
| Posted: Tue Oct 02, 2018 10:08 am Post subject: |
|
|
Novice
Joined: 28 Mar 2018
Posts: 19
|
I'll try to retrieve the logs and post them here.
No change was made to the certificates... |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Oct 02, 2018 10:12 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| gavze007 wrote: |
| No change was made to the certificates... |
Despite changing the ciphers? 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Oct 02, 2018 1:35 pm Post subject: Re: SHA384 Ciphers doesn't work |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Oct 03, 2018 4:46 am Post subject: Re: SHA384 Ciphers doesn't work |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
I was wondering about that too...... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Oct 03, 2018 2:38 pm Post subject: Re: SHA384 Ciphers doesn't work |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
I assume your question contains a typo. You say you have changed from
TLS_RSA_WITH_AES_256_CBC_SHA256
to
TLS_RSA_WITH_AES_256_CBC_SHA384
but there is no such CipherSpec.
Assuming that your channel alteration worked, I'm assuming it was another cipherspec. Your question suggests that the important change was a move to a SHA384 cipherspec of which there are a few you can use on Windows:-
- ECDHE_ECDSA_AES_256_CBC_SHA384
- ECDHE_ECDSA_AES_256_GCM_SHA384
- ECDHE_RSA_AES_256_CBC_SHA384
- ECDHE_RSA_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_256_GCM_SHA384
The certificate you were previously using with SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256) will not work with most of the above listed cipherspecs.
Please read Digital certificates and CipherSpec compatibility in IBM MQ. Specifically read the section entitled "Interoperability of Elliptic Curve and RSA CipherSpecs"
In short, the first four cipherspecs in my bulleted list above require you to make a different kind of certificate. The last one I think should work with your current certificate.
If this does not solve your issue, I would reiterate what others have said, please provide the errors from the queue manager error log at both ends.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Oct 04, 2018 4:53 am Post subject: Re: SHA384 Ciphers doesn't work |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| hughson wrote: |
| The certificate you were previously using with SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256) will not work with most of the above listed cipherspecs. |
I did think you'd need a new certificate.......
 me!
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Oct 04, 2018 4:59 am Post subject: Re: SHA384 Ciphers doesn't work |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Vitor wrote: |
| hughson wrote: |
| The certificate you were previously using with SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256) will not work with most of the above listed cipherspecs. |
I did think you'd need a new certificate.......
me! |
The law of averages... 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| gavze007 |
| Posted: Thu Oct 11, 2018 5:27 am Post subject: |
|
|
Novice
Joined: 28 Mar 2018
Posts: 19
|
Hi again,
Sorry for the delayed answer.
We tried 2 different ciphers:
ECDHE_RSA_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
And two different setups:
1. Sender on my end, receiver on the client's side
2. Receiver on my end, sender on the client's side
On the first setup, both ciphers work without a problem.
On the second setup, none of the ciphers works.
The sender channel at the client's side is stuck at "retrying", and this is the only information we have on the client's logs:
Channel 'XXXX' to host 'XXXX(xx)' ended abnormally.
The channel program running under process ID 23145 for channel
'XXXX' ended abnormally. The host name is 'XXXX(xx)'; in
some cases the host name cannot be determined and so is shown as '????'.
On my end there are no entries on the log files.
Does it mean that my client has an unsuitable certificate, or I do?
Thanks again for the help |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Oct 11, 2018 12:03 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| gavze007 wrote: |
We tried 2 different ciphers:
ECDHE_RSA_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
And two different setups:
1. Sender on my end, receiver on the client's side
2. Receiver on my end, sender on the client's side
On the first setup, both ciphers work without a problem.
On the second setup, none of the ciphers works. |
Please read Digital certificates and CipherSpec compatibility in IBM MQ. Specifically read the section entitled "Interoperability of Elliptic Curve and RSA CipherSpecs"
Those two cipherspecs that you have listed will require different certificates. I don't understand how they both work in your first setup.
You have stated in your most recent post that the only thing seen in the queue manager error log at the client's side is this:-
| gavze007 wrote: |
Channel 'XXXX' to host 'XXXX(xx)' ended abnormally.
The channel program running under process ID 23145 for channel
'XXXX' ended abnormally. The host name is 'XXXX(xx)'; in
some cases the host name cannot be determined and so is shown as '????'. |
This would appear to be message number AMQ9999 (please help us in future by including the message number when you paste in error message details, they are unique and so much easier to look up things with).
The complete text of message AMQ9999 is as follows:-
| AMQ9999 wrote: |
MESSAGE:
Channel '<insert one>' to host '<insert three>' ended abnormally.
EXPLANATION:
The channel program running under process ID <insert two> for channel '<insert
one>' ended abnormally. The host name is '<insert three>'; in some cases the
host name cannot be determined and so is shown as '????'.
ACTION:
Look at previous error messages for the channel program in the error logs to
determine the cause of the failure. Note that this message can be excluded
completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
found in the System Administration Guide. |
The important thing to note here is the first sentence in the ACTION section. This tells you that there is always a preceding message to this one that gives more information about WHY the channel ended abnormally. Please could you paste that (including message number) into your next post. This is the one with the pertinent information.
Also could you tell us what kind of certificate you are using (refer to the Knowledge Center page linked above).
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| tczielke |
| Posted: Thu Oct 11, 2018 1:12 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
You wouldn't think this would be the case, but is it possible different CERTLABL (i.e. certificates) were in play with the two tests?
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
|
|
