TLS protocol support for the managed .NET client

IBM® MQ.NET TLS support is based on the .NET SSLStream class.

Note: TLS protocol support for the managed .NET client depends on the .NET Framework level that the application is using. For more information, see Enabling TLS support for the managed .NET client.

For the Microsoft.NET SSLStream class to initialize TLS and perform a hand-shake with the queue manager, one of the required parameters that you must set is SSLProtocol, where you must specify the TLS version number, which must be one of the following values:

SSL3.0
TLS1.0
TLS1.2

Note: The SSL3.0 and TLS 1.0 protocols in IBM MQ .NET are deprecated from IBM MQ 10.0.0. Cipherspecs defined under property MQC.SSL_CIPHER_SPEC_PROPERTY or SSLCipherSpec in MQEnvironment that use SSL 3.0 or TLS 1.0 protocols should be avoided due to security vulnerabilities, and will be removed from support in the future releases. A warning message is produced in the client application error logs if either of these protocols is used and it is recommended to use TLS 1.2 protocol or higher.

The value of the SSLProtocol parameter is tightly coupled with the Protocol family to which the preferred CipherSpec belongs. When SSLStream starts an TLS handshake with the server (queue manager), it uses the TLS version specified in SSLProtocol to identify list of CipherSpecs to be used for negotiation.

IBM MQ.NET does not make any properties available for applications to use to set this value. Instead, IBM MQ uses a mapping table to internally map the CipherSpec set to the Protocol family and identifies the SSLProtocol version to be used. This table shows the mapping each of the supported CipherSpec between Microsoft.NET and IBM MQ, and the Protocol version to which they belong. For more information, see CipherSpec mappings for the managed .NET client.