ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Moving from SSL 3.0 to TLS 1.2

Post new topic  Reply to topic
 Moving from SSL 3.0 to TLS 1.2 « View previous topic :: View next topic » 
Author Message
riyaz_tak
PostPosted: Tue Mar 15, 2016 2:06 am    Post subject: Moving from SSL 3.0 to TLS 1.2 Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

Hi All

We are using WMQ 7.0.5.4 and GSK kit version 7.We are using SSL for authentication.

We have to move to TLS1.2.
We are planning to upgrade GSK kit to version 8 to support TLS 1.2.

So my question is if we move to TLS 1.2 then in this case do we need to update certificates as well or same old certificates will work fine?

Platform is Solaris 10.

Please let me know if you need more info or I have missed something.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Mar 15, 2016 4:45 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

IIRC fix pack 4 was retired?

As for your question, how should we know? You gave no indication as to what your current certs look like, especially about key size...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
riyaz_tak
PostPosted: Tue Mar 15, 2016 5:27 am    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

Hi

We are using RC4_MD5_EXPORT and planning to move to TLS_RSA_WITH_AES_256_CBC_SHA256 (key size 256).

Protocol used ---> TLS 1.2

Hash algorithm ---- > SHA-256

Encryption algorithm --- >AES

Encryption bits --- > 256

Platform Solaris 10 (64 bits)

WMQ 7.5.0.4

GSK KIT 7.0.4.45

I hope it helps

Regards
Riyaz
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Mar 15, 2016 6:38 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

You need a minimum RSA key size of 2048 and should probably use 4096...

So when you look at your existing certificates what is the key size they advertise ?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
riyaz_tak
PostPosted: Tue Mar 15, 2016 10:44 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

Hi

Current key size is 1024 and Signature Algorithm is SHA1withRSA.

So according to my understanding if we have to use CipherSpec TLS_RSA_WITH_AES_256_CBC_SHA256 then we need to have client certificate which is using SHA2 .

Is it correct?

current client certificate which we have is showing Signature Algorithm as SHA1withRSA and key size as 1024.

Our certificate which we have sent to customer has Key Size: 1024 and Signature Algorithm: MD5withRSA
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Mar 16, 2016 4:43 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

riyaz_tak wrote:
Hi

Current key size is 1024 and Signature Algorithm is SHA1withRSA.

So according to my understanding if we have to use CipherSpec TLS_RSA_WITH_AES_256_CBC_SHA256 then we need to have client certificate which is using SHA2 .

Is it correct?

current client certificate which we have is showing Signature Algorithm as SHA1withRSA and key size as 1024.

Our certificate which we have sent to customer has Key Size: 1024 and Signature Algorithm: MD5withRSA


Don't know that you can do TLS anymore with a key size of 1024.
The min key size for FIPS these days is 2048 and capability of the software is 4096.... My understanding is that any suite B algorithms require a min key size of 2048 (RSA key size, elliptic curve is different there).

Also your signature algorithm should be SHA not MD5. MD5 has been compromised and is no longer secure.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
riyaz_tak
PostPosted: Wed Mar 16, 2016 5:09 am    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

Thanks a lot fjb_saper
Back to top
View user's profile Send private message
kordi
PostPosted: Tue Apr 05, 2016 12:44 am    Post subject: Reply with quote

Centurion

Joined: 28 May 2012
Posts: 145
Location: PL

What you also need to keep in mind TLS 1.2 will not work with MD5 certificates. So before you want to use TLS 1.2 you must go through certificate renewal process.
Back to top
View user's profile Send private message
EKhalil
PostPosted: Fri Mar 17, 2017 7:02 am    Post subject: Reply with quote

Voyager

Joined: 29 Apr 2003
Posts: 99
Location: Boston, MA

FYI: Key size of 1024 and Signature Algorithm SHA1withRSA will support CipherSpec TLS_RSA_WITH_AES_256_CBC_SHA256. I have implemented this config successfully. The key size of 1024 is not recommeded however as it only provides 80 bits of security. So renewal of certs at a larger key size would be in order
Back to top
View user's profile Send private message Send e-mail
gbaddeley
PostPosted: Sun Mar 19, 2017 3:09 pm    Post subject: Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2491
Location: Melbourne, Australia

EKhalil wrote:
FYI: Key size of 1024 and Signature Algorithm SHA1withRSA will support CipherSpec TLS_RSA_WITH_AES_256_CBC_SHA256. I have implemented this config successfully. The key size of 1024 is not recommeded however as it only provides 80 bits of security. So renewal of certs at a larger key size would be in order

SHA1 is also not recommended.
Quote:
SHA-1 Wikipedia: SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use, and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3

_________________
Glenn
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Moving from SSL 3.0 to TLS 1.2
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.