TLS support for the managed .NET client

The managed .NET client uses the Microsoft .NET Framework libraries to implement TLS secure socket protocols. The Microsoft System.Net.SecuritySslStream class operates as a stream over connected TCP sockets and sends and receives data over that socket connection.

The minimum required .NET Framework level is .NET Framework v3.5. The level of Cipher Algorithm support is based on the .NET Framework level that the application is using:
  • For applications that are based on .NET Framework levels 3.5 and 4.0, the available secure socket protocols are SSL 3.0 and TSL 1.0.
  • For applications that are based on .NET Framework level 4.5, the available secure socket protocols are SSL 3.0, TLS 1.1 and TLS 1.2.
You might need to move applications that expect higher TLS protocol support to a later version of the framework as defined for Microsoft Security support in the .NET Framework.

The main features of TLS support for the managed .NET client are as follows:

TLS protocol support
TLS support for the .NET managed client is defined through the .NET SSLStream class, and depends on the .NET Framework that the application is using. For more information see TLS protocol support for the managed .NET client.
CipherSpec support
The TLS settings for the .NET managed client are as for the Microsoft.NET TLS steams. For more information see CipherSpec support for the managed .NET client and CipherSpec mappings for the managed .NET client.
Key repositories
The key repository on the client side is a Windows keystore. The server side repository is a Cryptographic Message Syntax (CMS) type of repository. For more information see Key repositories for the managed .NET client.
Certificates
You can use self-signed TLS certificates to implement mutual authentication between a client and a queue manager. For more information see Using certificates for the managed .NET client.
SSLPEERNAME
In .NET, applications can use the optional SSLPEERNAME attribute to specify a Distinguished Name (DN) pattern. For more information see SSLPEERNAME.
FIPS compliance
Enabling FIPS programmatically is not supported by the Microsoft.NET Security library. FIPS enablement is controlled by the Windows Group Policy setting.
NSA Suite B compliance
IBM MQ implements RFC 6460. The Microsoft.NET implementation for NSA suite B is 5430. This is supported from .NET Framework 3.5 onwards.
Secret key reset or renegotiation
Although the SSLStream class does not support secret key resetting or renegotiation, for consistency with other IBM MQ clients, the .NET managed client allows applications to set SSLKeyResetCount. For more information see Secret key reset or renegotiation for the managed .NET client.
Revocation check
The SSLStream class supports certificate revocation checking, which is automatically done by the certificate chaining engine. For more information see Revocation check.
IBM MQ security exit support
The SSLStream class provides limited support for IBM MQ security exits. Querying local and remote certificates to get SSLPeerNamePtr(Subject DN) and SSLRemCertIssNamePtr (Issuer DN) is possible since this is supported in Microsoft.NET. However, there is no support for getting attributes like DNQ, UNSTRUCTUREDNAME and UNSTRUCTUREDADDRESS, so these values cannot be retrieved using the exits.
Cryptographic hardware support
Cryptographic hardware is not supported for the managed .NET client.
[MQ 9.3.2 Feb 2023]

Support for TLS1.3 on managed IBM MQ .NET and XMS .NET clients

From IBM MQ 9.3.2, IBM MQ .NET and XMS .NET clients support TLS1.3 provided that the operating system supports TLS1.3.

The managed .NET client uses the Microsoft .NET Framework libraries to implement TLS secure socket protocols. The Microsoft System.Net.SecuritySslStream class operates as a stream over connected TCP sockets and sends and receives data over that socket connection.

On Windows, .NET uses SCHANNEL, and on Linux® .NET uses OpenSSL for SSL Communication.

[Windows]For IBM MQ .NET client applications running on Windows

Microsoft had announced that Windows 11 and Windows Server 2022 support TSL1.3 ciphers by default.

TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384 cipher suites are enabled by default on both versions of Windows.
Attention:
  • TLS_CHACHA20_POLY1305_SHA256 Cipher Suite is not enabled by default but is supported.
  • For an IBM MQ .NET client with TLS1.3 enabled, to connect to a queue manager successfully, IBM Global Security Kit (GSKit) version 8.0.55.29 is the minimum version that is the required at the queue manager side.

[Linux]For IBM MQ .NET client applications running on Linux

As .NET uses OpenSSL on Linux for SSL Communication, to use TLS1.3, OpenSSL v1.1.1 is the minimum requirement.

Additionally, as .NET uses OpenSSL on Linux, all the ciphers supported by OpenSSL should work for .NET as well.

OpenSSL supports the following CipherSpecs for TLS1.3:
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_128_CCM_8_SHA256
  • TLS_AES_128_CCM_SHA256