Deprecated CipherSpecs

A list of deprecated CipherSpecs that you are able to use with IBM® MQ if necessary.

Note: On UNIX, Linux®, and Windows, IBM MQ provides FIPS 140-2 compliance through the IBM Crypto for C (ICC) cryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C (ICC) certificate and be aware of any advice provided by NIST. A replacement FIPS 140-3 module is currently in progress and its status can be viewed by searching for it in the NIST CMVP modules in process list.

For information about enabling the deprecated CipherSpecs, see Enabling deprecated CipherSpecs on Multiplatforms or Enabling deprecated CipherSpecs on z/OS.

Deprecated CipherSpecs that you can use with IBM MQ TLS support are listed in the following table.

Platform support 1 CipherSpec name Protocol used Data integrity Encryption algorithm Encryption bits FIPS 2 Suite B Update when deprecated

[IBM i]

AES_SHA_US SSL 3.0 SHA-1 AES 128 No No 9.0.0.0
All DES_SHA_EXPORT3 8 SSL 3.0 SHA-1 DES 56 No No 9.0.0.0

[Linux][Windows][UNIX]

DES_SHA_EXPORT10244 SSL 3.0 SHA-1 DES 56 No No 9.0.0.0

[Linux][Windows][UNIX]

FIPS_WITH_DES_CBC_SHA SSL 3.0 SHA-1 DES 56 No6 No 9.0.0.0

[Linux][Windows][UNIX]

FIPS_WITH_3DES_EDE_CBC_SHA SSL 3.0 SHA-1 3DES 168 No7 No 9.0.0.1 and 9.0.1
All NULL_MD5 SSL 3.0 MD5 None 0 No No 9.0.0.1
All NULL_SHA SSL 3.0 SHA-1 None 0 No No 9.0.0.1
All RC2_MD5_EXPORT3 8 SSL 3.0 MD5 RC2 40 No No 9.0.0.0
All RC4_MD5_EXPORT3 SSL 3.0 MD5 RC4 40 No No 9.0.0.0
All RC4_MD5_US SSL 3.0 MD5 RC4 128 No No 9.0.0.0
All RC4_SHA_US 8 SSL 3.0 SHA-1 RC4 128 No No 9.0.0.0

[Linux][Windows][UNIX]

RC4_56_SHA_EXPORT10244 SSL 3.0 SHA-1 RC4 56 No No 9.0.0.0
All TRIPLE_DES_SHA_US 8 SSL 3.0 SHA-1 3DES 168 No No 9.0.0.1 and 9.0.1

[IBM i]

TLS_RSA_EXPORT_WITH_RC2_40_MD5 TLS 1.0 MD5 RC2 40 No No 9.0.0.0

[IBM i]

TLS_RSA_EXPORT_WITH_RC4_40_MD53 TLS 1.0 MD5 RC4 40 No No 9.0.0.0
All TLS_RSA_WITH_DES_CBC_SHA TLS 1.0 SHA-1 DES 56 No5 No 9.0.0.0

[IBM i]

TLS_RSA_WITH_NULL_MD5 TLS 1.0 MD5 None 0 No No 9.0.0.1

[IBM i]

TLS_RSA_WITH_NULL_SHA TLS 1.0 SHA-1 None 0 No No 9.0.0.1

[IBM i]

TLS_RSA_WITH_RC4_128_MD5 TLS 1.0 MD5 RC4 128 No No 9.0.0.0

[Linux][Windows][UNIX]

ECDHE_ECDSA_NULL_SHA256 TLS 1.2 SHA-1 None 0 No No 9.0.0.1

[Linux][Windows][UNIX]

ECDHE_ECDSA_RC4_128_SHA256 TLS 1.2 SHA-1 RC4 128 No No 9.0.0.0

[Linux][IBM i][Windows][UNIX]

ECDHE_RSA_NULL_SHA256 TLS 1.2 SHA-1 None 0 No No 9.0.0.1

[Linux][IBM i][Windows][UNIX]

ECDHE_RSA_RC4_128_SHA256 TLS 1.2 SHA-1 RC4 128 No No 9.0.0.0

[Linux][Windows][UNIX]

TLS_RSA_WITH_NULL_NULL TLS 1.2 None None 0 No No 9.0.0.1
All TLS_RSA_WITH_NULL_SHA256 TLS 1.2 SHA-256 None 0 No No 9.0.0.1

[Linux][Windows][UNIX]

TLS_RSA_WITH_RC4_128_SHA256 TLS 1.2 SHA-1 RC4 128 No No 9.0.0.0
All TLS_RSA_WITH_3DES_EDE_CBC_SHA9 TLS 1.0 SHA-1 3DES 168 Yes No 9.0.0.1 and 9.0.1

[Linux][Windows][UNIX]

ECDHE_ECDSA_3DES_EDE_CBC_SHA2569 TLS 1.2 SHA-1 3DES 168 Yes No 9.0.0.1 and 9.0.1

[Linux][IBM i][Windows][UNIX]

ECDHE_RSA_3DES_EDE_CBC_SHA2569 TLS 1.2 SHA-1 3DES 168 Yes No 9.0.0.1 and 9.0.1
Notes:
  1. If no specific platform is noted, the CipherSpec is available on all platforms.
  2. Specifies whether the CipherSpec is FIPS-certified on a FIPS-certified platform. See Federal Information Processing Standards (FIPS) for an explanation of FIPS.
  3. The maximum handshake key size is 512 bits. If either of the certificates exchanged during the SSL handshake has a key size greater than 512 bits, a temporary 512-bit key is generated for use during the handshake.
  4. The handshake key size is 1024 bits.
  5. This CipherSpec was FIPS 140-2 certified before 19 May 2007.
  6. This CipherSpec was FIPS 140-2 certified before 19 May 2007. The name FIPS_WITH_DES_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS-compliant. This CipherSpec is deprecated and its use is not recommended.
  7. The name FIPS_WITH_3DES_EDE_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS-compliant. The use of this CipherSpec is deprecated.
  8. These CipherSpecs are no longer supported by IBM MQ classes for Java or IBM MQ classes for JMS. For more information, see SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for Java or SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS.
  9. This CipherSpec can be used to transfer up to 32 GB of data before the connection is terminated with error AMQ9288. To avoid this error, either avoid using triple DES, or enable secret key reset when using this CipherSpec.