MQSeries.net :: View topic - Cipher Spec mismatch problem between client and server

MQDeveloper · Posted: Mon Nov 07, 2005 1:50 pm Post subject:

I am experiencing a problem with the Cipher Specs / Suites that I am defining on both ends of the channel.

Specifically, I define Cipher Spec "TRIPLE_DES_SHA_US" (which maps to the "SSL_RSA_WITH_3DES_EDE_CBC_SHA" cipher suite) on the server side and then start the channel.

On the client side I set the MQEnvironment.sslCipherSuite variable to "SSL_RSA_WITH_3DES_EDE_CBC_SHA" and start the connection.

On the client side I see the error:
MQJE001: An MQException occurred: Completion Code 2, Reason 2009
MQJE016: MQ queue manager closed channel immediately during connect

When I look at the error log on my Queue Manager (server side) I see this error:

----- amqccita.c : 3227 -------------------------------------------------------
11/7/2005 09:42:33 - Process(2948.25) User(MUSR_MQADMIN) Program(amqrmppa.exe)
AMQ9631: The CipherSpecs on the two ends of channel 'SECURE.CHANNEL' do not
match.

EXPLANATION:
There is a mismatch between the CipherSpecs on the local and remote ends of
channel 'SECURE.CHANNEL'. The channel will not run until this mismatch is
resolved.
ACTION:
Change the channel definitions for 'SECURE.CHANNEL' so the two ends have
matching CipherSpecs and restart the channel.

Now what's interesting is if I stop the server channel and define the SSL Cipher Spec as "TLS_RSA_WITH_3DES_EDE_CBC_SHA" (which also maps to the "SSL_RSA_WITH_3DES_EDE_CBC_SHA" Cipher Suite) and restart the channel and connect again from the client with the same cipher suite as before, I can now connect successfully.

I tried all the Cipher Specs supported by WebSphere MQ (as defined in Appendix D of the "WebSphere MQ Using Java" document and Chapter 16 of the "WebSphere MQ Security" document) and was only able to successfully make connections to the server when either the "TLS_RSA_WITH_DES_CBC_SHA" or "TLS_RSA_WITH_3DES_EDE_CBC_SHA" ciper specs were defined on the server side (and a corresponding cipher suite was sent from the client).

My Queue Manager is running under WebSphere MQ 6.0 and the SSLFIPS property is set to "NO".

I am stumped! I am using a self-signed certificate on the server and have tried creating a new one through the IBM Key Management GUI and also importing my own PKCS-12 cert. I get the same results with both certificates.

Has anyone else ever experienced this problem?