ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Why special CipherSuite and CipherSpec in MQ SSL

Post new topic  Reply to topic
 Why special CipherSuite and CipherSpec in MQ SSL « View previous topic :: View next topic » 
Author Message
Armageddon123
PostPosted: Tue Apr 10, 2018 12:35 pm    Post subject: Why special CipherSuite and CipherSpec in MQ SSL Reply with quote

Acolyte

Joined: 11 Feb 2014
Posts: 61

Hi Experts.

in most SSL setups, for example IIB, we create keystore, trustore, then associate it with broker , setup https port , done, done

For MQ only, apart from keystore and trustore setup, we have to mention the CipherSuite/CipherSpec on channel and also on the client Java code.

props.put(MQConstants.SSL_CIPHER_SUITE_PROPERTY, "SSL_RSA_WITH_AES_128_CBC_SHA");

Below link explains the issues with mismatches etc for the cipherspec/ciphersuite , but could not get why we need to really provide it at first place.

https://www.ibm.com/developerworks/community/blogs/messaging/entry/BiteSize_Blogging_MQ_Version_8_The_relationship_between_MQ_CipherSpecs_and_Java_Cipher_Suites?lang=en

Is this a special implementation for SSL/TLS for MQ which needs these ciphersuite or is it am missing some basics?!!!!

Thanks!
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Apr 11, 2018 1:32 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Browsers have an inbuilt list of Cipher Specs, and negotiate down that list until they find a mutually supported one, which can take some time - perhaps IIB uses the same principle? (CAVEAT: The limit of my knowledge with IIB is the ability to spell it!).

Imagine how much faster it would be if you didn't have to do that and used a specific Cipher Spec, or at least a limited list.

No doubt someone will be along that will put us both right soon...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
zpat
PostPosted: Wed Apr 11, 2018 10:15 pm    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

I seem to recall this is changing in more recent MQ versions.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Thu Apr 12, 2018 4:11 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

exerk wrote:
Browsers have an inbuilt list of Cipher Specs, and negotiate down that list until they find a mutually supported one ...

This browser behavior is a well-documented security exposure, as the client end can specify the weakest spec, and the server end will reduce its spec to that level.

MQ allows one spec, the same spec, at both ends, the one explicitly defined in channel definitions - no negotiation.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
Armageddon123
PostPosted: Fri Apr 13, 2018 6:34 am    Post subject: Reply with quote

Acolyte

Joined: 11 Feb 2014
Posts: 61

Thanks all for the reply. That is a new learning.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Why special CipherSuite and CipherSpec in MQ SSL
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.