CipherSpec mappings for the managed .NET client
The IBM® MQ.NET interface maintains an IBM MQ to Microsoft.NET mapping table that is used to determine the version of the TLS protocol that the managed client needs to use to establish a secure connection with a queue manager.
![[MQ 10.0.0 Jun 2026]](../common/../develop/ng10.gif)
![[Deprecated]](../common/../develop/ngdeprecated.gif)
Note:
From
IBM MQ 10.0.0, using SSL 3.0 or TLS 1.0 has been deprecated
and will produce a warning message in the client application error logs. Therefore it is recommended
to use TLS 1.2 or higher version protocols.If a CipherSpec is specified on the SVRCONN channel, then after the TLS handshake is complete, the queue manager tries to match that CipherSpec with the negotiated CipherSpec that the client application is using. If the queue manager cannot find a matching CipherSpec, the communication fails with error AMQ9631.
The IBM MQ.NET interface maintains an IBM MQ to Microsoft.NET CipherSpec mapping table. This table is used to determine the TLS protocol version that client wants to use to establish a secured socket connection with the queue manager. Based on the SSLCipherSpec value, the SSLProtocol version can be TLS 1.0, or TLS 1.2, depending on which version of the Microsoft.NET Framework you are using.
Make sure that you provide the correct SSLCipherSpec value as specifying an incorrect value might result in the SSL 3.0 or the TLS 1.0 protocols being used.
| IBM MQ CipherSpec | Microsoft.NET CipherSpec | TLS protocol |
|---|---|---|
| TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS 1.0 |
| TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA | TLS 1.0 |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA 1 | TLS_RSA_WITH_3DES_EDE_CBC_SHA 1 | TLS 1.0 |
| TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS 1.2 |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS 1.2 |
| ECDHE_RSA_AES_128_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 | TLS 1.2 |
| ECDHE_RSA_AES_128_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 | TLS 1.2 |
| ECDHE_RSA_AES_128_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521 | TLS 1.2 |
| ECDHE_ECDSA_AES_128_CBC_SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 | TLS 1.2 |
| ECDHE_ECDSA_AES_128_CBC_SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 | TLS 1.2 |
| ECDHE_ECDSA_AES_128_CBC_SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521 | TLS 1.2 |
| ECDHE_ECDSA_AES_256_CBC_SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 | TLS 1.2 |
| ECDHE_ECDSA_AES_256_CBC_SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521 | TLS 1.2 |
| ECDHE_RSA_AES_128_GCM_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | TLS 1.2 |
| ECDHE_RSA_AES_256_GCM_SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | TLS 1.2 |
| ECDHE_ECDSA_AES_128_GCM_SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 | TLS 1.2 |
| ECDHE_ECDSA_AES_128_GCM_SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 | TLS 1.2 |
| ECDHE_ECDSA_AES_128_GCM_SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521 | TLS 1.2 |
| ECDHE_ECDSA_AES_256_GCM_SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 | TLS 1.2 |
| ECDHE_ECDSA_AES_256_GCM_SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521 | TLS 1.2 |
| TLS_AES_256_GCM_SHA384 | TLS_AES_256_GCM_SHA384 | TLS 1.3 |
| TLS_CHACHA20_POLY1305_SHA256 | TLS_CHACHA20_POLY1305_SHA256 | TLS 1.3 |
| TLS_AES_128_GCM_SHA256 | TLS_AES_128_GCM_SHA256 | TLS 1.3 |
| TLS_AES_128_CCM_8_SHA256 | TLS_AES_128_CCM_8_SHA256 | TLS 1.3 |
| TLS_AES_128_CCM_SHA256 | TLS_AES_128_CCM_SHA256 | TLS 1.3 |
| Alias CipherSpecs | ||
| ANY 4 | *ANY | Multiple |
| ANY_TLS134 | *TLS13 | TLS 1.3 |
| ANY_TLS12_OR_HIGHER 4 | *TLS12ORHIGHER | TLS 1.2 and above |
| ANY_TLS13_OR_HIGHER 4 | *TLS13ORHIGHER | TLS 1.3 and above |
![[Deprecated]](ngdeprecated.gif)
This CipherSpec TLS_RSA_WITH_3DES_EDE_CBC_SHA is
deprecated. However, it can still be used to transfer up to 32 GB of data before the connection is
terminated with error AMQ9288. To avoid this error, you can either avoid using
triple DES, or enable secret key reset when you use this CipherSpec.- The CipherSpec set in the application is used to determine the TLS protocol version that the managed client uses to establish a secure connection with the queue manager. However, TLS handshake is completed by using the CipherSpec that is set in the OS level, in Windows group policy Ciphersuite order, and it should match with the CipherSpec set in the application as well as with the one set in the queue manager. For more information, see CipherSpec support for the managed .NET client.
- IBM MQ .NET does not decide the Ciphersuite order (preference). If nothing is set in windows group policy, then a Microsoft default cipherspec is used for handshake. For more information, see CipherSpec order in TLS handshake.
- To be able to use TLS 1.3 Ciphers, the Java runtime environment (JRE) running your application must support TLS 1.3.