| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| SHA384 Ciphers doesn't work |
« View previous topic :: View next topic » |
| Author |
Message
|
| tczielke |
 Posted: Fri Oct 12, 2018 6:30 am Post subject: |
 |
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| hughson wrote: |
| gavze007 wrote: |
We tried 2 different ciphers:
ECDHE_RSA_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
And two different setups:
1. Sender on my end, receiver on the client's side
2. Receiver on my end, sender on the client's side
On the first setup, both ciphers work without a problem.
On the second setup, none of the ciphers works. |
Please read Digital certificates and CipherSpec compatibility in IBM MQ. Specifically read the section entitled "Interoperability of Elliptic Curve and RSA CipherSpecs"
Those two cipherspecs that you have listed will require different certificates. I don't understand how they both work in your first setup.
|
When I read that doc, I see the following ciphers requiring both an RSA certificate.
ECDHE_RSA_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
From what I have read about ECDHE_RSA_AES_256_GCM_SHA384, it uses RSA certficates, but the encryption algorithm builds ephemeral (temporary) elliptic curve keys to do the secret key establishment. However the certificates that this cipher requires are RSA.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
 |
| hughson |
| Posted: Fri Oct 12, 2018 3:59 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| tczielke wrote: |
| hughson wrote: |
| gavze007 wrote: |
We tried 2 different ciphers:
ECDHE_RSA_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
And two different setups:
1. Sender on my end, receiver on the client's side
2. Receiver on my end, sender on the client's side
On the first setup, both ciphers work without a problem.
On the second setup, none of the ciphers works. |
Please read Digital certificates and CipherSpec compatibility in IBM MQ. Specifically read the section entitled "Interoperability of Elliptic Curve and RSA CipherSpecs"
Those two cipherspecs that you have listed will require different certificates. I don't understand how they both work in your first setup.
|
When I read that doc, I see the following ciphers requiring both an RSA certificate.
ECDHE_RSA_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
From what I have read about ECDHE_RSA_AES_256_GCM_SHA384, it uses RSA certficates, but the encryption algorithm builds ephemeral (temporary) elliptic curve keys to do the secret key establishment. However the certificates that this cipher requires are RSA. |
Yes, you're quite right, I should have read it closer.
So that explains why both ciphers work, but we are no closer to knowing why they fail in the other setup.
Hopefully the OP will post the error message that will show us what is going on.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| tczielke |
| Posted: Sat Oct 13, 2018 4:52 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| hughson wrote: |
| tczielke wrote: |
| hughson wrote: |
| gavze007 wrote: |
We tried 2 different ciphers:
ECDHE_RSA_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
And two different setups:
1. Sender on my end, receiver on the client's side
2. Receiver on my end, sender on the client's side
On the first setup, both ciphers work without a problem.
On the second setup, none of the ciphers works. |
Please read Digital certificates and CipherSpec compatibility in IBM MQ. Specifically read the section entitled "Interoperability of Elliptic Curve and RSA CipherSpecs"
Those two cipherspecs that you have listed will require different certificates. I don't understand how they both work in your first setup.
|
When I read that doc, I see the following ciphers requiring both an RSA certificate.
ECDHE_RSA_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
From what I have read about ECDHE_RSA_AES_256_GCM_SHA384, it uses RSA certficates, but the encryption algorithm builds ephemeral (temporary) elliptic curve keys to do the secret key establishment. However the certificates that this cipher requires are RSA. |
Yes, you're quite right, I should have read it closer.
So that explains why both ciphers work, but we are no closer to knowing why they fail in the other setup.
Hopefully the OP will post the error message that will show us what is going on.
Cheers,
Morag |
No problem! To understand this TLS stuff properly, you do need to have your head spinning at least two revolutions before you start reading. 
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| gavze007 |
| Posted: Tue Oct 16, 2018 5:01 am Post subject: |
|
|
Novice
Joined: 28 Mar 2018
Posts: 19
|
Hi,
Thank you for all the replies.
As I'm still investigating this issue, I don't have any other error messages - only those I mentioned, all came from the error qmgr.
Where should I look for more logs?
Thanks |
|
| Back to top |
|
|
| tczielke |
| Posted: Tue Oct 16, 2018 5:58 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
Assuming you have posted all the relevant error logs (note Morag's previous note that there should have been more error information to provide), your next step is a PMR with IBM. They would be able to look into an SSL trace and see what is going on under the covers. The MQ admin does not have the "security clearance" to look at the SSL trace.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| gavze007 |
| Posted: Tue Oct 16, 2018 6:22 am Post subject: |
|
|
Novice
Joined: 28 Mar 2018
Posts: 19
|
None of the ciphers need Elliptic Curve public key type, (although RCDHE_RSA_ uses ECDHE secret key establishment).
I validated the certificate types on both sides.
On my server:
Public Key Type : RSA (1.2.840.113549.1.1.1)
Signature Algorithm : SHA256WithRSASignature (1.2.840.113549.1.1.11)
On the client's side:
Public Key Algorithm: rsaEncryption
Signature Algorithm: sha1WithRSAEncryption
Before I'll open a case to IBM, do you think of any other reason this can fail? Maybe because I'm using SHA256 and the client uses SHA1? |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Oct 16, 2018 7:47 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| gavze007 wrote: |
None of the ciphers need Elliptic Curve public key type, (although RCDHE_RSA_ uses ECDHE secret key establishment).
I validated the certificate types on both sides. |
How did you validate?
Did you specify the same (identical) cipher suite at both ends of the channel?
There's an IBM support pac for validating SSL configurations. MO72, if memory serves.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| tczielke |
| Posted: Tue Oct 16, 2018 8:13 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
The only other recommendation I have is that there is a way to ask your partner MQ queue manager to send you the personal certificate that it is using with openssl s_client. At v8 and higher, you also need to provide the channel name in the openssl s_client call. It is a little complicated, but if you would like to do that to ensure your partner did give you the correct cert, let me know.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Oct 16, 2018 1:24 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| gavze007 wrote: |
| As I'm still investigating this issue, I don't have any other error messages - only those I mentioned, all came from the error qmgr. |
Please double check, there really should be two errors one after the other of which you have only provided us with the last one. They are both in the same queue manager error log. If you open a PMR with IBM they will want to see your errors too so it is worth taking another look.
P.S. You say "only those I mentioned" but I only see one error message in your previous posts. Is it possible that you found the other one but did not actually post it here?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
