SSL and TLS support for the managed .NET client

The managed .NET client uses the Microsoft.NET Framework libraries to implement SSL and TLS secure socket protocols. The Microsoft System.Net.SecuritySslStream class operates as a stream over connected TCP sockets and sends and receives data over that socket connection.

The minimum required .NET Framework level is .NET Framework v3.5. The level of Cipher Algorithm support is based on the .NET Framework level that the application is using.
  • For applications that are based on .NET Framework level 3.5 and v4.0, the available secure socket protocols are SSLv3.0 and TSL v1.0.
  • For applications that are based on .NET Framework level4.5, the available secure socket protocols are SSLv3.0, TLS v1.1 and TLSv1.2.
You might need to move applications that expect higher SSL protocol support to a later version of the framework as defined for Microsoft Security support in the .NET Framework.

The main features of SSL and TLS support for the managed .NET client are as follows:

SSL protocol support
SSL support for the .NET managed client is defined through the .NET SSLStream class, and depends on the .NET Framework that the application is using. For more information see SSL protocol support for the managed .NET client.
CipherSpec support
The SSL settings for the .NET managed client are as for the Microsoft.NET SSL steams. For more information see CipherSpec support for the managed .NET client and CipherSpec mappings for the managed .NET client.
Key repositories
The key repository on the client side is a Windows key store. The server side repository is a Cryptographic Message Syntax (CMS) type of repository. For more information see Key repositories for the managed .NET client.
You can use self-signed SSL or TLS certificates to implement mutual authentication between a client and a queue manager. For more information see Using certificates for the managed .NET client.
In .NET, applications can use the optional SSLPEERNAME attribute to specify a Distinguished Name (DN) pattern. For more information see SSLPEERNAME.
FIPS compliance
Enabling FIPS programmatically is not supported by the Microsoft.NET Security library. FIPS enablement is controlled by the Windows Group Policy setting.
NSA Suite B compliance
IBM MQ implements RFC 6460. The Microsoft.NET implementation for NSA suite B is 5430. This is supported from .NET Framework 3.5 onwards.
Secret key reset or renegotiation
Although the SSLStream class does not support secret key resetting or renegotiation, for consistency with other IBM MQ clients, the .NET managed client allows applications to set SSLKeyResetCount. For more information see Secret key reset or renegotiation.
Revocation check
The SSLStream class supports certificate revocation checking, which is automatically done by the certificate chaining engine. For more information see Revocation check.
IBM MQ security exit support
The SSLStream class provides limited support for IBM MQ security exits. Querying local and remote certificates to get SSLPeerNamePtr(Subject DN) and SSLRemCertIssNamePtr (Issuer DN) is possible since this is supported in Microsoft.NET. However, there is no support for getting attributes like DNQ, UNSTRUCTUREDNAME and UNSTRUCTUREDADDRESS, so these values cannot be retrieved using the exits.
Cryptographic hardware support
Cryptographic hardware is not supported for the managed .NET client.