Deprecated CipherSpecs
A list of deprecated CipherSpecs that you are able to use with IBM® MQ if necessary.
IBM Crypto for Ccryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C certificate and be aware of any advice provided by NIST. A replacement FIPS 140-3 module is currently in progress and its status can be viewed by searching for it in the NIST CMVP modules in process list.
For information about enabling deprecated CipherSpecs, see Enabling deprecated CipherSpecs on IBM MQ for Multiplatforms or Enabling deprecated CipherSpecs on z/OS.
Deprecated CipherSpecs that you can use with IBM MQ TLS support are listed in the following table.
Platform support 1 | CipherSpec name | Hex code | Protocol used | Data integrity | Encryption algorithm (encryption bits) | FIPS 2 | Suite B | Update when deprecated |
---|---|---|---|---|---|---|---|---|
CipherSpecs for SSL 3.0 | ||||||||
AES_SHA_US
3 |
002F | SSL 3.0 | SHA-1 | AES (128) | No | No | 9.0.0.0 | |
All | DES_SHA_EXPORT
3
4
5
|
0009 | SSL 3.0 | SHA-1 | DES (56) | No | No | 9.0.0.0 |
DES_SHA_EXPORT1024
3
6
|
0062 | SSL 3.0 | SHA-1 | DES (56) | No | No | 9.0.0.0 | |
FIPS_WITH_DES_CBC_SHA
3 |
FEFE | SSL 3.0 | SHA-1 | DES (56) | No7 | No | 9.0.0.0 | |
FIPS_WITH_3DES_EDE_CBC_SHA
3 |
FEFF | SSL 3.0 | SHA-1 | 3DES (168) | No8 | No | 9.0.0.1 and 9.0.1 | |
All | NULL_MD5
3 |
0001 | SSL 3.0 | MD5 | None | No | No | 9.0.0.1 |
All | NULL_SHA
3 |
0002 | SSL 3.0 | SHA-1 | None | No | No | 9.0.0.1 |
All | RC2_MD5_EXPORT
3
4
5
|
0006 | SSL 3.0 | MD5 | RC2 (40) | No | No | 9.0.0.0 |
All | RC4_MD5_EXPORT
4
3
|
0003 | SSL 3.0 | MD5 | RC4 (40) | No | No | 9.0.0.0 |
All | RC4_MD5_US
3 |
0004 | SSL 3.0 | MD5 | RC4 (128) | No | No | 9.0.0.0 |
All | RC4_SHA_US
3
5
|
0005 | SSL 3.0 | SHA-1 | RC4 (128) | No | No | 9.0.0.0 |
RC4_56_SHA_EXPORT1024
3
6
|
0064 | SSL 3.0 | SHA-1 | RC4 (56) | No | No | 9.0.0.0 | |
All | TRIPLE_DES_SHA_US
3
5
|
000A | SSL 3.0 | SHA-1 | 3DES (168) | No | No | 9.0.0.1 and 9.0.1 |
CipherSpecs for TLS 1.0 | ||||||||
TLS_RSA_EXPORT_WITH_RC2_40_MD5
3 |
0006 | TLS 1.0 | MD5 | RC2 (40) | No | No | 9.0.0.0 | |
TLS_RSA_EXPORT_WITH_RC4_40_MD5 3
4
|
0003 | TLS 1.0 | MD5 | RC4 (40) | No | No | 9.0.0.0 | |
All | TLS_RSA_WITH_DES_CBC_SHA
3
|
0009 | TLS 1.0 | SHA-1 | DES (56) | No9 | No | 9.0.0.0 |
TLS_RSA_WITH_NULL_MD5
3 |
0001 | TLS 1.0 | MD5 | None | No | No | 9.0.0.1 | |
TLS_RSA_WITH_NULL_SHA
3 |
0002 | TLS 1.0 | SHA-1 | None | No | No | 9.0.0.1 | |
TLS_RSA_WITH_RC4_128_MD5
3
|
0004 | TLS 1.0 | MD5 | RC4 (128) | No | No | 9.0.0.0 | |
TLS_RSA_WITH_AES_128_CBC_SHA
10 |
002F | TLS 1.0 | SHA-1 | AES (128) | Yes | No | 9.0.5 | |
TLS_RSA_WITH_AES_256_CBC_SHA
6
10
|
0035 | TLS 1.0 | SHA-1 | AES (256) | Yes | No | 9.0.5 | |
All | TLS_RSA_WITH_3DES_EDE_CBC_SHA |
000A | TLS 1.0 | SHA-1 | 3DES (168) | Yes | No | 9.0.0.1 and 9.0.1 |
CipherSpecs for TLS 1.2 | ||||||||
ECDHE_ECDSA_NULL_SHA256
3
|
C006 | TLS 1.2 | SHA-1 | None | No | No | 9.0.0.1 | |
ECDHE_ECDSA_RC4_128_SHA256
3 |
C007 | TLS 1.2 | SHA-1 | RC4 (128) | No | No | 9.0.0.0 | |
ECDHE_RSA_NULL_SHA256
3 |
C010 | TLS 1.2 | SHA-1 | None | No | No | 9.0.0.1 | |
ECDHE_RSA_RC4_128_SHA256
3 |
C011 | TLS 1.2 | SHA-1 | RC4 (128) | No | No | 9.0.0.0 | |
TLS_RSA_WITH_NULL_NULL
3
|
0000 | TLS 1.2 | None | None | No | No | 9.0.0.1 | |
All | TLS_RSA_WITH_NULL_SHA256
3 |
003B | TLS 1.2 | SHA-256 | None | No | No | 9.0.0.1 |
TLS_RSA_WITH_RC4_128_SHA256
3 |
0005 | TLS 1.2 | SHA-1 | RC4 (128) | No | No | 9.0.0.0 | |
ECDHE_ECDSA_3DES_EDE_CBC_SHA256
|
C0008 | TLS 1.2 | SHA-1 | 3DES (168) | Yes | No | 9.0.0.1 and 9.0.1 | |
ECDHE_RSA_3DES_EDE_CBC_SHA256
|
C012 | TLS 1.2 | SHA-1 | 3DES (168) | Yes | No | 9.0.0.1 and 9.0.1 | |
Notes:
|
Enabling deprecated CipherSpecs on IBM MQ for Multiplatforms
By default, you are not allowed to specify a deprecated CipherSpec on a channel definition. If you attempt to specify a deprecated CipherSpec on IBM MQ for Multiplatforms, you receive message AMQ8242: SSLCIPH definition wrong, and PCF returns MQRCCF_SSL_CIPHER_SPEC_ERROR.
You cannot start a channel with a deprecated CipherSpec. If you attempt to do so with a deprecated CipherSpec, the system returns MQCC_FAILED (2), together with a Reason of MQRC_SSL_INITIALIZATION_ERROR (2393) to the client.
You can re-enable one or more of the deprecated CipherSpecs for defining channels, at runtime on the server, by setting the environment variable AMQ_SSL_WEAK_CIPHER_ENABLE.
- A single CipherSpec name, or
- A comma separated list of CipherSpec names to re-enable, or
- The special value of ALL, representing all CipherSpecs.
export AMQ_SSL_WEAK_CIPHER_ENABLE=ECDHE_RSA_RC4_128_SHA256
or,
alternatively change the SSL stanza in the qm.ini file, by setting:
SSL:
AllowTLSV1=Y
AllowWeakCipherSpec=ECDHE_RSA_RC4_128_SHA256
Enabling deprecated CipherSpecs on z/OS
By default, you are not allowed to specify a deprecated CipherSpec on a channel definition. If you attempt to specify a deprecated CipherSpec on z/OS, you receive message CSQM102E, message CSQX616E, or CSQX674E.
- If you want to re-enable the use of weak CipherSpecs, you do so by adding a dummy data
definition (DD) statement named
CSQXWEAK
to the channel initiator JCL. If specified on its own, this only enables weak CipherSpecs associated with the TLS 1.2 protocol; for example://CSQXWEAK DD DUMMY
Note: Not all deprecated CipherSpecs require the use of this DD statement, see note 10 in the preceding table. - If you want to re-enable the use of SSLv3 CipherSpecs, you do so by also adding a dummy DD
statement named
CSQXSSL3
to the channel initiator JCL. All SSLv3 CipherSpecs are considered Weak, so you must also specifyCSQXWEAK
://CSQXSSL3 DD DUMMY
- If you want to re-enable the deprecated TLS V1 CipherSpecs, you do so by adding a dummy DD
statement named
TLS10ON
(turn TLS V1.0 ON) to the channel initiator JCL. If specified on its own, this enables Strong CipherSpecs associated with the TLS 1.0 protocol://TLS10ON DD DUMMY
If specified with
CSQXWEAK
this also enables Weak CipherSpecs associated with TLS 1.0. - If you want to explicitly turn off the deprecated TLS V1 CipherSpecs, you do so by adding a
dummy DD statement named
TLS10OFF
(turn TLS V1.0 OFF) to the channel initiator JCL; for example://TLS10OFF DD DUMMY
JCL: //GSKDCIPS DD DUMMY
There are alternative mechanisms that can be used to forcibly re-enable weak CipherSpecs, and SSLv3 support, if the Data Definition change is unsuitable. Contact IBM Service for further information.