| Author |
Message
|
| riyaz_tak |
 Posted: Tue Mar 15, 2016 2:06 am Post subject: Moving from SSL 3.0 to TLS 1.2 |
 |
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
Hi All
We are using WMQ 7.0.5.4 and GSK kit version 7.We are using SSL for authentication.
We have to move to TLS1.2.
We are planning to upgrade GSK kit to version 8 to support TLS 1.2.
So my question is if we move to TLS 1.2 then in this case do we need to update certificates as well or same old certificates will work fine?
Platform is Solaris 10.
Please let me know if you need more info or I have missed something. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Mar 15, 2016 4:45 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
IIRC fix pack 4 was retired?
As for your question, how should we know? You gave no indication as to what your current certs look like, especially about key size... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Tue Mar 15, 2016 5:27 am Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
Hi
We are using RC4_MD5_EXPORT and planning to move to TLS_RSA_WITH_AES_256_CBC_SHA256 (key size 256).
Protocol used ---> TLS 1.2
Hash algorithm ---- > SHA-256
Encryption algorithm --- >AES
Encryption bits --- > 256
Platform Solaris 10 (64 bits)
WMQ 7.5.0.4
GSK KIT 7.0.4.45
I hope it helps
Regards
Riyaz |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Mar 15, 2016 6:38 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You need a minimum RSA key size of 2048 and should probably use 4096...
So when you look at your existing certificates what is the key size they advertise ?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Tue Mar 15, 2016 10:44 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
Hi
Current key size is 1024 and Signature Algorithm is SHA1withRSA.
So according to my understanding if we have to use CipherSpec TLS_RSA_WITH_AES_256_CBC_SHA256 then we need to have client certificate which is using SHA2 .
Is it correct?
current client certificate which we have is showing Signature Algorithm as SHA1withRSA and key size as 1024.
Our certificate which we have sent to customer has Key Size: 1024 and Signature Algorithm: MD5withRSA |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Mar 16, 2016 4:43 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| riyaz_tak wrote: |
Hi
Current key size is 1024 and Signature Algorithm is SHA1withRSA.
So according to my understanding if we have to use CipherSpec TLS_RSA_WITH_AES_256_CBC_SHA256 then we need to have client certificate which is using SHA2 .
Is it correct?
current client certificate which we have is showing Signature Algorithm as SHA1withRSA and key size as 1024.
Our certificate which we have sent to customer has Key Size: 1024 and Signature Algorithm: MD5withRSA |
Don't know that you can do TLS anymore with a key size of 1024.
The min key size for FIPS these days is 2048 and capability of the software is 4096.... My understanding is that any suite B algorithms require a min key size of 2048 (RSA key size, elliptic curve is different there).
Also your signature algorithm should be SHA not MD5. MD5 has been compromised and is no longer secure.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Wed Mar 16, 2016 5:09 am Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
Thanks a lot fjb_saper  |
|
| Back to top |
|
|
| kordi |
| Posted: Tue Apr 05, 2016 12:44 am Post subject: |
|
|
Centurion
Joined: 28 May 2012
Posts: 146
Location: PL
|
| What you also need to keep in mind TLS 1.2 will not work with MD5 certificates. So before you want to use TLS 1.2 you must go through certificate renewal process. |
|
| Back to top |
|
|
| EKhalil |
| Posted: Fri Mar 17, 2017 7:02 am Post subject: |
|
|
Voyager
Joined: 29 Apr 2003
Posts: 99
Location: Boston, MA
|
| FYI: Key size of 1024 and Signature Algorithm SHA1withRSA will support CipherSpec TLS_RSA_WITH_AES_256_CBC_SHA256. I have implemented this config successfully. The key size of 1024 is not recommeded however as it only provides 80 bits of security. So renewal of certs at a larger key size would be in order |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sun Mar 19, 2017 3:09 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| EKhalil wrote: |
| FYI: Key size of 1024 and Signature Algorithm SHA1withRSA will support CipherSpec TLS_RSA_WITH_AES_256_CBC_SHA256. I have implemented this config successfully. The key size of 1024 is not recommeded however as it only provides 80 bits of security. So renewal of certs at a larger key size would be in order |
SHA1 is also not recommended.
| Quote: |
| SHA-1 Wikipedia: SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use, and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3 |
_________________
Glenn |
|
| Back to top |
|
|
|
|
