Deprecated CipherSpecs

A list of deprecated CipherSpecs that you are able to use with IBM® MQ if necessary.

Note: On UNIX, Linux®, and Windows, IBM MQ provides FIPS 140-2 compliance through the IBM Crypto for C cryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C certificate and be aware of any advice provided by NIST. A replacement FIPS 140-3 module is currently in progress and its status can be viewed by searching for it in the NIST CMVP modules in process list.

For information about enabling the deprecated CipherSpecs, see Enabling deprecated CipherSpecs on Multiplatforms or Enabling deprecated CipherSpecs on z/OS.

Deprecated CipherSpecs that you can use with IBM MQ TLS support are listed in the following table.

Table 1. Deprecated CipherSpecs you can re-enable for use with IBM MQ
Platform support 1 CipherSpec name Hex code Protocol used Data integrity Encryption algorithm (encryption bits) FIPS 2 Suite B Update when deprecated
CipherSpecs for SSL 3.0

[IBM i]

AES_SHA_US 3 002F SSL 3.0 SHA-1 AES (128) No No 9.0.0.0
All DES_SHA_EXPORT 3 4 5 0009 SSL 3.0 SHA-1 DES (56) No No 9.0.0.0

[UNIX, Linux, Windows]

DES_SHA_EXPORT1024 3 6 0062 SSL 3.0 SHA-1 DES (56) No No 9.0.0.0

[UNIX, Linux, Windows]

FIPS_WITH_DES_CBC_SHA 3 FEFE SSL 3.0 SHA-1 DES (56) No7 No 9.0.0.0

[UNIX, Linux, Windows]

FIPS_WITH_3DES_EDE_CBC_SHA 3 FEFF SSL 3.0 SHA-1 3DES (168) No8 No 9.0.0.1 and 9.0.1
All NULL_MD5 3 0001 SSL 3.0 MD5 None No No 9.0.0.1
All NULL_SHA 3 0002 SSL 3.0 SHA-1 None No No 9.0.0.1
All RC2_MD5_EXPORT 3 4 5 0006 SSL 3.0 MD5 RC2 (40) No No 9.0.0.0
All RC4_MD5_EXPORT 4 3 0003 SSL 3.0 MD5 RC4 (40) No No 9.0.0.0
All RC4_MD5_US 3 0004 SSL 3.0 MD5 RC4 (128) No No 9.0.0.0
All RC4_SHA_US 3 5 0005 SSL 3.0 SHA-1 RC4 (128) No No 9.0.0.0

[UNIX, Linux, Windows]

RC4_56_SHA_EXPORT1024 3 6 0064 SSL 3.0 SHA-1 RC4 (56) No No 9.0.0.0
All TRIPLE_DES_SHA_US 3 5 000A SSL 3.0 SHA-1 3DES (168) No No 9.0.0.1 and 9.0.1
CipherSpecs for TLS 1.0

[IBM i]

TLS_RSA_EXPORT_WITH_RC2_40_MD5 3 0006 TLS 1.0 MD5 RC2 (40) No No 9.0.0.0

[IBM i]

TLS_RSA_EXPORT_WITH_RC4_40_MD53 4 0003 TLS 1.0 MD5 RC4 (40) No No 9.0.0.0
All TLS_RSA_WITH_DES_CBC_SHA 3 0009 TLS 1.0 SHA-1 DES (56) No9 No 9.0.0.0

[IBM i]

TLS_RSA_WITH_NULL_MD5 3 0001 TLS 1.0 MD5 None No No 9.0.0.1

[IBM i]

TLS_RSA_WITH_NULL_SHA 3 0002 TLS 1.0 SHA-1 None No No 9.0.0.1

[IBM i]

TLS_RSA_WITH_RC4_128_MD5 3 0004 TLS 1.0 MD5 RC4 (128) No No 9.0.0.0

[UNIX, Linux, Windows][z/OS]

TLS_RSA_WITH_AES_128_CBC_SHA 10 002F TLS 1.0 SHA-1 AES (128) Yes No 9.0.5

[UNIX, Linux, Windows][z/OS]

TLS_RSA_WITH_AES_256_CBC_SHA 6 10 0035 TLS 1.0 SHA-1 AES (256) Yes No 9.0.5
All TLS_RSA_WITH_3DES_EDE_CBC_SHA 000A TLS 1.0 SHA-1 3DES (168) Yes No 9.0.0.1 and 9.0.1
CipherSpecs for TLS 1.2

[UNIX, Linux, Windows]

ECDHE_ECDSA_NULL_SHA256 3 C006 TLS 1.2 SHA-1 None No No 9.0.0.1

[UNIX, Linux, Windows]

ECDHE_ECDSA_RC4_128_SHA256 3 C007 TLS 1.2 SHA-1 RC4 (128) No No 9.0.0.0

[UNIX, Linux, Windows][IBM i]

ECDHE_RSA_NULL_SHA256 3 C010 TLS 1.2 SHA-1 None No No 9.0.0.1

[UNIX, Linux, Windows][IBM i]

ECDHE_RSA_RC4_128_SHA256 3 C011 TLS 1.2 SHA-1 RC4 (128) No No 9.0.0.0

[UNIX, Linux, Windows]

TLS_RSA_WITH_NULL_NULL 3 0000 TLS 1.2 None None No No 9.0.0.1
All TLS_RSA_WITH_NULL_SHA256 3 003B TLS 1.2 SHA-256 None No No 9.0.0.1

[UNIX, Linux, Windows]

TLS_RSA_WITH_RC4_128_SHA256 3 0005 TLS 1.2 SHA-1 RC4 (128) No No 9.0.0.0

[UNIX, Linux, Windows]

ECDHE_ECDSA_3DES_EDE_CBC_SHA256 C0008 TLS 1.2 SHA-1 3DES (168) Yes No 9.0.0.1 and 9.0.1

[UNIX, Linux, Windows][IBM i]

ECDHE_RSA_3DES_EDE_CBC_SHA256 C012 TLS 1.2 SHA-1 3DES (168) Yes No 9.0.0.1 and 9.0.1
Notes:
  1. For a list of platforms covered by each platform icon, see Release and platform icons in the product documentation.
  2. Specifies whether the CipherSpec is FIPS-certified on a FIPS-certified platform. See Federal Information Processing Standards (FIPS) for an explanation of FIPS.
  3. [UNIX, Linux, Windows]These CipherSpecs are disabled when TLS 1.3 is enabled (through the AllowTLSV13 property in the qm.ini).

    [z/OS]Queue managers created at IBM MQ for z/OS® 9.2.0 or later enable TLS 1.3 by default, which disables these CipherSpecs. You can enable these CipherSpecs, if required, by turning off TLS V1.3. This is done by adding AllowTLSV13=FALSE to the TransportSecurity stanza of the QMINI data set in the queue manager JCL. Queue managers migrated to IBM MQ for z/OS 9.2.0 from an earlier version don't have TLS 1.3 enabled by default, and therefore have these CipherSpecs enabled.

  4. The maximum handshake key size is 512 bits. If either of the certificates exchanged during the SSL handshake has a key size greater than 512 bits, a temporary 512-bit key is generated for use during the handshake.
  5. These CipherSpecs are no longer supported by IBM MQ classes for Java or IBM MQ classes for JMS. For more information, see SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for Java or SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS.
  6. The handshake key size is 1024 bits.
  7. This CipherSpec was FIPS 140-2 certified before 19 May 2007. The name FIPS_WITH_DES_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS-compliant. This CipherSpec is deprecated and its use is not recommended.
  8. The name FIPS_WITH_3DES_EDE_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS-compliant. The use of this CipherSpec is deprecated.
  9. This CipherSpec was FIPS 140-2 certified before 19 May 2007.
  10. [z/OS]Re-enabling just these CipherSpecs does not require the use of the CSQXWEAK DD statement.