IT36099: JRE CipherSuites using algorithms based on DES_CBC are disabled

APAR status

• Closed as Permanent restriction.

Error description

• When an MQTT application attempted to connect to the MQXR
  service over a SSL/TLS secured socket, the connection attempt
  failed and the following error message was output from the MQXR
  service:
  
  AMQCO1008E: An SSL Handshake error occurred when a client at
  '/192.168.1.50' attempted to connect to channel 'SSL':
  javax.net.ssl.SSLHandshakeException: null cert chain
  
  
  The CipherSuite which the MQTT client was requesting to use was:
  
    SSL_RSA_FIPS_WITH_DES_CBC_SHA
  

Local fix

Problem summary

• ****************************************************************
  USERS AFFECTED:
  Users of the JRE which is embedded into the MQ installation at
  the location:
  
  AIX, Linux, Solaris, HP-UX:
  
    <MQ_INSTALLATION_ROOT>/java/jre64/jre
  
  Windows:
    <MQ_INSTALLATION_ROOT>\java\jre
  
  who are attempting to use CipherSuites which use algorithms
  based on the DES_CBC set.
  
  
  Platforms affected:
  AIX, HP-UX Itanium, Linux on Power, Linux on S390, Linux on
  x86-64, Linux on zSeries, Solaris SPARC, Solaris x86-64, Windows
  
  ****************************************************************
  PROBLEM DESCRIPTION:
  The JRE embedded into MQ v8.0.0.16 has been updated under APAR
  IT35343 to the Java versions:
  
    7.1.4.80 -  AIX, Linux (x86-32, x86-64, ppc, ppcLE, zLinux),
  Windows(32-bit, 64-bit)
    7.0.10.80 - Solaris (SPARC, x86-64)
    7.0.10.75 - HP-UX (Itanium 32-bit, 64-bit)
  
  
  The JRE embedded into MQ v9.2.0.2 has been updated under APAR
  IT35540 to the Java versions:
  
    8.0.6.25 - AIX, Linux (x86-64, ppcLE, zLinux), Solaris (SPARC,
  x86-64) Windows
  
  
  
  In these JREs, CipherSuites which use TLS algorithms which match
  "DES_CBC" have been disabled, for example the CipherSuite:
  
     SSL_RSA_FIPS_WITH_DES_CBC_SHA
  
  
  The result of this change to the JRE is that if an application
  is using this JRE, the application will no longer be able to use
  this CipherSuite, for example if connecting to the queue manager
  over a SSL/TLS secured channel.
  
  This includes user's own applications which utilise this JRE, or
  components of IBM MQ which use the JRE, such as:
  
    MQ Explorer
    MQTT service
    AMQP service
    Managed File Transfer
  

Problem conclusion

• If you understand the security risk associated with using these
  disabled CipherSuites, and want to re-enable them, then you can
  update the JRE file:
  
  
  AIX, Linux, Solaris:
    <MQ_INSTALL_ROOT>/java/jre64/jre/lib/security/java.security
  
  Windows:
    <MQ_INSTALL_ROOT>\java\jre\lib\security\java.security
  
  
  to re-enable the CipherSuites using this DES_CBC algorithm.
  
  
  The entry in this file which controls this behaviour is the
  property:
  
    jdk.tls.disabledAlgorithms
  
  
  Remove the last entry:
  
  ", DES_CBC"
  
  to permit the JRE to use this algorithm again.
  
  ---------------------------------------------------------------
  The fix is targeted for delivery in the following PTFs:
  
  Version    Maintenance Level
  v8.0       8.0.0.16
  v9.2 LTS   9.2.0.2
  
  The latest available maintenance can be obtained from
  'WebSphere MQ Recommended Fixes'
  http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
  
  If the maintenance level is not yet available information on
  its planned availability can be found in 'WebSphere MQ
  Planned Maintenance Release Dates'
  http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
  ---------------------------------------------------------------
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels