Deprecated CipherSpecs
A list of deprecated CipherSpecs that you are able to use with IBM® MQ if necessary.
For information about enabling deprecated CipherSpecs, see Enabling deprecated CipherSpecs on IBM MQ for Multiplatforms or Enabling deprecated CipherSpecs on z/OS.
Deprecated CipherSpecs that you can use with IBM MQ TLS support are listed in the following table.
Platform support 1 | CipherSpec name | Hex code | Protocol used | Data integrity | Encryption algorithm (encryption bits) | FIPS 2 | Suite B | Update when deprecated |
---|---|---|---|---|---|---|---|---|
CipherSpecs for SSL 3.0 | ||||||||
|
AES_SHA_US
3 |
002F | SSL 3.0 | SHA-1 | AES (128) | No | No | 9.0.0.0 |
All | DES_SHA_EXPORT
3
4
5
|
0009 | SSL 3.0 | SHA-1 | DES (56) | No | No | 9.0.0.0 |
|
DES_SHA_EXPORT1024
3
6
|
0062 | SSL 3.0 | SHA-1 | DES (56) | No | No | 9.0.0.0 |
|
FIPS_WITH_DES_CBC_SHA
3 |
FEFE | SSL 3.0 | SHA-1 | DES (56) | No7 | No | 9.0.0.0 |
|
FIPS_WITH_3DES_EDE_CBC_SHA
3 |
FEFF | SSL 3.0 | SHA-1 | 3DES (168) | No8 | No | 9.0.0.1 and 9.0.1 |
All | NULL_MD5
3 |
0001 | SSL 3.0 | MD5 | None | No | No | 9.0.0.1 |
All | NULL_SHA
3 |
0002 | SSL 3.0 | SHA-1 | None | No | No | 9.0.0.1 |
All | RC2_MD5_EXPORT
3
4
5
|
0006 | SSL 3.0 | MD5 | RC2 (40) | No | No | 9.0.0.0 |
All | RC4_MD5_EXPORT
4
3
|
0003 | SSL 3.0 | MD5 | RC4 (40) | No | No | 9.0.0.0 |
All | RC4_MD5_US
3 |
0004 | SSL 3.0 | MD5 | RC4 (128) | No | No | 9.0.0.0 |
All | RC4_SHA_US
3
5
|
0005 | SSL 3.0 | SHA-1 | RC4 (128) | No | No | 9.0.0.0 |
|
RC4_56_SHA_EXPORT1024
3
6
|
0064 | SSL 3.0 | SHA-1 | RC4 (56) | No | No | 9.0.0.0 |
All | TRIPLE_DES_SHA_US
3
5
|
000A | SSL 3.0 | SHA-1 | 3DES (168) | No | No | 9.0.0.1 and 9.0.1 |
CipherSpecs for TLS 1.0 | ||||||||
|
TLS_RSA_EXPORT_WITH_RC2_40_MD5
3 |
0006 | TLS 1.0 | MD5 | RC2 (40) | No | No | 9.0.0.0 |
|
TLS_RSA_EXPORT_WITH_RC4_40_MD5 3
4
|
0003 | TLS 1.0 | MD5 | RC4 (40) | No | No | 9.0.0.0 |
All | TLS_RSA_WITH_DES_CBC_SHA
3
|
0009 | TLS 1.0 | SHA-1 | DES (56) | No9 | No | 9.0.0.0 |
|
TLS_RSA_WITH_NULL_MD5
3 |
0001 | TLS 1.0 | MD5 | None | No | No | 9.0.0.1 |
|
TLS_RSA_WITH_NULL_SHA
3 |
0002 | TLS 1.0 | SHA-1 | None | No | No | 9.0.0.1 |
|
TLS_RSA_WITH_RC4_128_MD5
3
|
0004 | TLS 1.0 | MD5 | RC4 (128) | No | No | 9.0.0.0 |
|
TLS_RSA_WITH_AES_128_CBC_SHA
10 |
002F | TLS 1.0 | SHA-1 | AES (128) | Yes | No | 9.0.5 |
|
TLS_RSA_WITH_AES_256_CBC_SHA
6
10
|
0035 | TLS 1.0 | SHA-1 | AES (256) | Yes | No | 9.0.5 |
All | TLS_RSA_WITH_3DES_EDE_CBC_SHA |
000A | TLS 1.0 | SHA-1 | 3DES (168) | Yes | No | 9.0.0.1 and 9.0.1 |
CipherSpecs for TLS 1.2 | ||||||||
|
ECDHE_ECDSA_NULL_SHA256
3
|
C006 | TLS 1.2 | SHA-1 | None | No | No | 9.0.0.1 |
|
ECDHE_ECDSA_RC4_128_SHA256
3 |
C007 | TLS 1.2 | SHA-1 | RC4 (128) | No | No | 9.0.0.0 |
|
ECDHE_RSA_NULL_SHA256
3 |
C010 | TLS 1.2 | SHA-1 | None | No | No | 9.0.0.1 |
|
ECDHE_RSA_RC4_128_SHA256
3 |
C011 | TLS 1.2 | SHA-1 | RC4 (128) | No | No | 9.0.0.0 |
|
TLS_RSA_WITH_NULL_NULL
3
|
0000 | TLS 1.2 | None | None | No | No | 9.0.0.1 |
All | TLS_RSA_WITH_NULL_SHA256
3 |
003B | TLS 1.2 | SHA-256 | None | No | No | 9.0.0.1 |
|
TLS_RSA_WITH_RC4_128_SHA256
3 |
0005 | TLS 1.2 | SHA-1 | RC4 (128) | No | No | 9.0.0.0 |
|
ECDHE_ECDSA_3DES_EDE_CBC_SHA256
|
C0008 | TLS 1.2 | SHA-1 | 3DES (168) | Yes | No | 9.0.0.1 and 9.0.1 |
|
ECDHE_RSA_3DES_EDE_CBC_SHA256
|
C012 | TLS 1.2 | SHA-1 | 3DES (168) | Yes | No | 9.0.0.1 and 9.0.1 |
Notes:
|
![[UNIX, Linux, Windows, IBM i]](ngmulti.gif)
Enabling deprecated CipherSpecs on IBM MQ for Multiplatforms
By default, you are not allowed to specify a deprecated CipherSpec on a channel definition. If you attempt to specify a deprecated CipherSpec on IBM MQ for Multiplatforms, you receive message AMQ8242: SSLCIPH definition wrong, and PCF returns MQRCCF_SSL_CIPHER_SPEC_ERROR.
You cannot start a channel with a deprecated CipherSpec. If you attempt to do so with a deprecated CipherSpec, the system returns MQCC_FAILED (2), together with a Reason of MQRC_SSL_INITIALIZATION_ERROR (2393) to the client.
You can re-enable one or more of the deprecated CipherSpecs for defining channels, at runtime on the server, by setting the environment variable AMQ_SSL_WEAK_CIPHER_ENABLE.
- A single CipherSpec name, or
- A comma separated list of CipherSpec names to re-enable, or
- The special value of ALL, representing all CipherSpecs.
export AMQ_SSL_WEAK_CIPHER_ENABLE=ECDHE_RSA_RC4_128_SHA256
or,
alternatively change the SSL stanza in the qm.ini file, by setting:
SSL:
AllowTLSV1=Y
AllowWeakCipherSpec=ECDHE_RSA_RC4_128_SHA256
![[z/OS]](ngzos.gif)
Enabling deprecated CipherSpecs on z/OS
By default, you are not allowed to specify a deprecated CipherSpec on a channel definition. If you attempt to specify a deprecated CipherSpec on z/OS, you receive message CSQM102E, message CSQX616E, or CSQX674E.
- If you want to re-enable the use of weak CipherSpecs, you do so by adding a dummy data
definition (DD) statement named
CSQXWEAK
to the channel initiator JCL. If specified on its own, this only enables weak CipherSpecs associated with the TLS 1.2 protocol; for example://CSQXWEAK DD DUMMY
Note: Not all deprecated CipherSpecs require the use of this DD statement, see note 10 in the preceding table. - If you want to re-enable the use of SSLv3 CipherSpecs, you do so by also adding a dummy DD
statement named
CSQXSSL3
to the channel initiator JCL. All SSLv3 CipherSpecs are considered Weak, so you must also specifyCSQXWEAK
://CSQXSSL3 DD DUMMY
- If you want to re-enable the deprecated TLS V1 CipherSpecs, you do so by adding a dummy DD
statement named
TLS10ON
(turn TLS V1.0 ON) to the channel initiator JCL. If specified on its own, this enables Strong CipherSpecs associated with the TLS 1.0 protocol://TLS10ON DD DUMMY
If specified with
CSQXWEAK
this also enables Weak CipherSpecs associated with TLS 1.0. - If you want to explicitly turn off the deprecated TLS V1 CipherSpecs, you do so by adding a
dummy DD statement named
TLS10OFF
(turn TLS V1.0 OFF) to the channel initiator JCL; for example://TLS10OFF DD DUMMY
JCL: //GSKDCIPS DD DUMMY
![[MQ 9.2.0 Jul 2020]](ng920.gif)
![[MQ 9.2.0 Jul 2020]](ng920cd.gif)
There are alternative mechanisms that can be used to forcibly re-enable weak CipherSpecs, and SSLv3 support, if the Data Definition change is unsuitable. Contact IBM Service for further information.