ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ SecuritySHA384 Ciphers doesn't work

Post new topicReply to topic Goto page Previous  1, 2
SHA384 Ciphers doesn't work View previous topic :: View next topic
Author Message
tczielke
PostPosted: Fri Oct 12, 2018 6:30 am Post subject: Reply with quote

Shaman

Joined: 08 Jul 2010
Posts: 746
Location: Illinois, USA

hughson wrote:
gavze007 wrote:
We tried 2 different ciphers:

ECDHE_RSA_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384

And two different setups:
1. Sender on my end, receiver on the client's side
2. Receiver on my end, sender on the client's side

On the first setup, both ciphers work without a problem.

On the second setup, none of the ciphers works.

Please read Digital certificates and CipherSpec compatibility in IBM MQ. Specifically read the section entitled "Interoperability of Elliptic Curve and RSA CipherSpecs"

Those two cipherspecs that you have listed will require different certificates. I don't understand how they both work in your first setup.


When I read that doc, I see the following ciphers requiring both an RSA certificate.

ECDHE_RSA_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384

From what I have read about ECDHE_RSA_AES_256_GCM_SHA384, it uses RSA certficates, but the encryption algorithm builds ephemeral (temporary) elliptic curve keys to do the secret key establishment. However the certificates that this cipher requires are RSA.
_________________
MQ administrator since 2010.
Back to top
View user's profile Send private message
hughson
PostPosted: Fri Oct 12, 2018 3:59 pm Post subject: Reply with quote

Sentinel

Joined: 09 May 2013
Posts: 840
Location: Bay of Plenty, New Zealand

tczielke wrote:
hughson wrote:
gavze007 wrote:
We tried 2 different ciphers:

ECDHE_RSA_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384

And two different setups:
1. Sender on my end, receiver on the client's side
2. Receiver on my end, sender on the client's side

On the first setup, both ciphers work without a problem.

On the second setup, none of the ciphers works.

Please read Digital certificates and CipherSpec compatibility in IBM MQ. Specifically read the section entitled "Interoperability of Elliptic Curve and RSA CipherSpecs"

Those two cipherspecs that you have listed will require different certificates. I don't understand how they both work in your first setup.


When I read that doc, I see the following ciphers requiring both an RSA certificate.

ECDHE_RSA_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384

From what I have read about ECDHE_RSA_AES_256_GCM_SHA384, it uses RSA certficates, but the encryption algorithm builds ephemeral (temporary) elliptic curve keys to do the secret key establishment. However the certificates that this cipher requires are RSA.
Yes, you're quite right, I should have read it closer.

So that explains why both ciphers work, but we are no closer to knowing why they fail in the other setup.

Hopefully the OP will post the error message that will show us what is going on.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
tczielke
PostPosted: Sat Oct 13, 2018 4:52 am Post subject: Reply with quote

Shaman

Joined: 08 Jul 2010
Posts: 746
Location: Illinois, USA

hughson wrote:
tczielke wrote:
hughson wrote:
gavze007 wrote:
We tried 2 different ciphers:

ECDHE_RSA_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384

And two different setups:
1. Sender on my end, receiver on the client's side
2. Receiver on my end, sender on the client's side

On the first setup, both ciphers work without a problem.

On the second setup, none of the ciphers works.

Please read Digital certificates and CipherSpec compatibility in IBM MQ. Specifically read the section entitled "Interoperability of Elliptic Curve and RSA CipherSpecs"

Those two cipherspecs that you have listed will require different certificates. I don't understand how they both work in your first setup.


When I read that doc, I see the following ciphers requiring both an RSA certificate.

ECDHE_RSA_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384

From what I have read about ECDHE_RSA_AES_256_GCM_SHA384, it uses RSA certficates, but the encryption algorithm builds ephemeral (temporary) elliptic curve keys to do the secret key establishment. However the certificates that this cipher requires are RSA.
Yes, you're quite right, I should have read it closer.

So that explains why both ciphers work, but we are no closer to knowing why they fail in the other setup.

Hopefully the OP will post the error message that will show us what is going on.

Cheers,
Morag



No problem! To understand this TLS stuff properly, you do need to have your head spinning at least two revolutions before you start reading.
_________________
MQ administrator since 2010.
Back to top
View user's profile Send private message
gavze007
PostPosted: Tue Oct 16, 2018 5:01 am Post subject: Reply with quote

Novice

Joined: 28 Mar 2018
Posts: 18

Hi,

Thank you for all the replies.
As I'm still investigating this issue, I don't have any other error messages - only those I mentioned, all came from the error qmgr.
Where should I look for more logs?

Thanks
Back to top
View user's profile Send private message
tczielke
PostPosted: Tue Oct 16, 2018 5:58 am Post subject: Reply with quote

Shaman

Joined: 08 Jul 2010
Posts: 746
Location: Illinois, USA

Assuming you have posted all the relevant error logs (note Morag's previous note that there should have been more error information to provide), your next step is a PMR with IBM. They would be able to look into an SSL trace and see what is going on under the covers. The MQ admin does not have the "security clearance" to look at the SSL trace.
_________________
MQ administrator since 2010.
Back to top
View user's profile Send private message
gavze007
PostPosted: Tue Oct 16, 2018 6:22 am Post subject: Reply with quote

Novice

Joined: 28 Mar 2018
Posts: 18

None of the ciphers need Elliptic Curve public key type, (although RCDHE_RSA_ uses ECDHE secret key establishment).
I validated the certificate types on both sides.

On my server:
Public Key Type : RSA (1.2.840.113549.1.1.1)
Signature Algorithm : SHA256WithRSASignature (1.2.840.113549.1.1.11)

On the client's side:
Public Key Algorithm: rsaEncryption
Signature Algorithm: sha1WithRSAEncryption

Before I'll open a case to IBM, do you think of any other reason this can fail? Maybe because I'm using SHA256 and the client uses SHA1?
Back to top
View user's profile Send private message
bruce2359
PostPosted: Tue Oct 16, 2018 7:47 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8191
Location: US: west coast, almost. Otherwise, enroute.

gavze007 wrote:
None of the ciphers need Elliptic Curve public key type, (although RCDHE_RSA_ uses ECDHE secret key establishment).
I validated the certificate types on both sides.

How did you validate?

Did you specify the same (identical) cipher suite at both ends of the channel?

There's an IBM support pac for validating SSL configurations. MO72, if memory serves.
_________________
I would tell you a UDP joke, but you might not get it.
Back to top
View user's profile Send private message
tczielke
PostPosted: Tue Oct 16, 2018 8:13 am Post subject: Reply with quote

Shaman

Joined: 08 Jul 2010
Posts: 746
Location: Illinois, USA

The only other recommendation I have is that there is a way to ask your partner MQ queue manager to send you the personal certificate that it is using with openssl s_client. At v8 and higher, you also need to provide the channel name in the openssl s_client call. It is a little complicated, but if you would like to do that to ensure your partner did give you the correct cert, let me know.
_________________
MQ administrator since 2010.
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Oct 16, 2018 1:24 pm Post subject: Reply with quote

Sentinel

Joined: 09 May 2013
Posts: 840
Location: Bay of Plenty, New Zealand

gavze007 wrote:
As I'm still investigating this issue, I don't have any other error messages - only those I mentioned, all came from the error qmgr.

Please double check, there really should be two errors one after the other of which you have only provided us with the last one. They are both in the same queue manager error log. If you open a PMR with IBM they will want to see your errors too so it is worth taking another look.

P.S. You say "only those I mentioned" but I only see one error message in your previous posts. Is it possible that you found the other one but did not actually post it here?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Goto page Previous  1, 2 Page 2 of 2

MQSeries.net Forum IndexIBM MQ SecuritySHA384 Ciphers doesn't work
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.