[Deprecated]

Deprecated and removed CipherSpecs

A list of deprecated CipherSpecs that you are able to use with IBM® MQ if necessary[MQ 9.4.4 Oct 2025] and a list of removed CipherSpecs that are no longer supported with IBM MQ.

Deprecated CipherSpecs

Deprecated CipherSpecs that you can use with IBM MQ TLS support are listed in the following table.

Table 1. Deprecated CipherSpecs you can re-enable for use with IBM MQ
Platform support 1 CipherSpec name Hex code Protocol used Data integrity Encryption algorithm (encryption bits) FIPS 2 Suite B Update when deprecated
CipherSpecs for SSL 3.0

[IBM i]

 AES_SHA_US 3 14 002F SSL 3.0 SHA-1 AES (128) No No 9.0.0.0

All

DES_SHA_EXPORT 3 4 5 14 0009 SSL 3.0 SHA-1 DES (56) No No 9.0.0.0

[AIX, Linux, Windows]

 DES_SHA_EXPORT1024 3 6 14 0062 SSL 3.0 SHA-1 DES (56) No No 9.0.0.0

[AIX, Linux, Windows]

 FIPS_WITH_DES_CBC_SHA 3 14 FEFE SSL 3.0 SHA-1 DES (56) No7 No 9.0.0.0

[AIX, Linux, Windows]

 FIPS_WITH_3DES_EDE_CBC_SHA 3 14 FEFF SSL 3.0 SHA-1 3DES (168) No8 No 9.0.0.1 and 9.0.1
All NULL_MD5 3 14 0001 SSL 3.0 MD5 None No No 9.0.0.1
All NULL_SHA 3 14 0002 SSL 3.0 SHA-1 None No No 9.0.0.1
All RC2_MD5_EXPORT 3 4 5 14 0006 SSL 3.0 MD5 RC2 (40) No No 9.0.0.0
All RC4_MD5_EXPORT 4 3 14 0003 SSL 3.0 MD5 RC4 (40) No No 9.0.0.0
All RC4_MD5_US 3 14 0004 SSL 3.0 MD5 RC4 (128) No No 9.0.0.0
All RC4_SHA_US 3 5 14 0005 SSL 3.0 SHA-1 RC4 (128) No No 9.0.0.0

[AIX, Linux, Windows]

 RC4_56_SHA_EXPORT1024 3 6 14 0064 SSL 3.0 SHA-1 RC4 (56) No No 9.0.0.0
All TRIPLE_DES_SHA_US 3 5 14 000A SSL 3.0 SHA-1 3DES (168) No No 9.0.0.1 and 9.0.1
CipherSpecs for TLS 1.0

[IBM i]

 TLS_RSA_EXPORT_WITH_RC2_40_MD5 3 14 0006 TLS 1.0 MD5 RC2 (40) No No 9.0.0.0

[IBM i]

 TLS_RSA_EXPORT_WITH_RC4_40_MD53 4 14 0003 TLS 1.0 MD5 RC4 (40) No No 9.0.0.0
All TLS_RSA_WITH_DES_CBC_SHA 3 14 0009 TLS 1.0 SHA-1 DES (56) No9 No 9.0.0.0

[IBM i]

 TLS_RSA_WITH_NULL_MD5 3 14 0001 TLS 1.0 MD5 None No No 9.0.0.1

[IBM i]

 TLS_RSA_WITH_NULL_SHA 3 14 0002 TLS 1.0 SHA-1 None No No 9.0.0.1

[IBM i]

 TLS_RSA_WITH_RC4_128_MD5 3 14 0004 TLS 1.0 MD5 RC4 (128) No No 9.0.0.0

[AIX, Linux, Windows][z/OS]

 TLS_RSA_WITH_AES_128_CBC_SHA 10 14 002F TLS 1.0 SHA-1 AES (128)

[MQ 9.4.3 Jun 2025]No

[Long Term Support]Yes

 No 9.0.5

[AIX, Linux, Windows][z/OS]

 TLS_RSA_WITH_AES_256_CBC_SHA 6 10 14 0035 TLS 1.0 SHA-1 AES (256)

[MQ 9.4.3 Jun 2025]No

[Long Term Support]Yes

 No 9.0.5
All TLS_RSA_WITH_3DES_EDE_CBC_SHA 14 000A TLS 1.0 SHA-1 3DES (168)

[MQ 9.4.3 Jun 2025]No

[Long Term Support]Yes

 No 9.0.0.1 and 9.0.1
CipherSpecs for TLS 1.2

[AIX, Linux, Windows]

 ECDHE_ECDSA_NULL_SHA256 3 C006 TLS 1.2 SHA-1 None No No 9.0.0.1

[AIX, Linux, Windows]

 ECDHE_ECDSA_RC4_128_SHA256 3 14 C007 TLS 1.2 SHA-1 RC4 (128) No No 9.0.0.0

[IBM i][AIX, Linux, Windows]

 ECDHE_RSA_NULL_SHA256 3 C010 TLS 1.2 SHA-1 None No No 9.0.0.1

[IBM i][AIX, Linux, Windows]

 ECDHE_RSA_RC4_128_SHA256 3 14 C011 TLS 1.2 SHA-1 RC4 (128) No No 9.0.0.0

[AIX, Linux, Windows]

 TLS_RSA_WITH_NULL_NULL 3 14 0000 TLS 1.2 None None No No 9.0.0.1
All TLS_RSA_WITH_NULL_SHA256 3 14 003B TLS 1.2 SHA-256 None No No 9.0.0.1

[AIX, Linux, Windows]

 TLS_RSA_WITH_RC4_128_SHA256 3 14 0005 TLS 1.2 SHA-1 RC4 (128) No No 9.0.0.0

[AIX, Linux, Windows]

 ECDHE_ECDSA_3DES_EDE_CBC_SHA256 14 C0008 TLS 1.2 SHA-1 3DES (168) Yes No 9.0.0.1 and 9.0.1

[IBM i][AIX, Linux, Windows]

 ECDHE_RSA_3DES_EDE_CBC_SHA256 14 C012 TLS 1.2 SHA-1 3DES (168) Yes No 9.0.0.1 and 9.0.1
[MQ 9.4.1 Oct 2024]All TLS_RSA_WITH_AES_128_CBC_SHA25611 003C TLS 1.2 SHA-256 AES (128)

[MQ 9.4.3 Jun 2025]No

[Long Term Support]Yes

 No 9.4.1
[MQ 9.4.1 Oct 2024]All TLS_RSA_WITH_AES_256_CBC_SHA256 11 12 003D TLS 1.2 SHA-256 AES (256)

[MQ 9.4.3 Jun 2025]No

[Long Term Support]Yes

 No 9.4.1
[MQ 9.4.1 Oct 2024]All TLS_RSA_WITH_AES_128_GCM_SHA256 11 13 009C TLS 1.2 SHA-256 and AEAD GCM AES (128)

[MQ 9.4.3 Jun 2025]No

[Long Term Support]Yes

 No 9.4.1
[MQ 9.4.1 Oct 2024]All TLS_RSA_WITH_AES_256_GCM_SHA38411 12 13 009D TLS 1.2 SHA-384 and AEAD GCM AES (256)

[MQ 9.4.3 Jun 2025]No

[Long Term Support]Yes

 No 9.4.1
Notes:
  1. For a list of platforms covered by each platform icon, see Icons used in the product documentation.
  2. Specifies whether the CipherSpec is FIPS certified on a FIPS certified platform. See Federal Information Processing Standards (FIPS) for an explanation of FIPS.
  3. [AIX, Linux, Windows]These CipherSpecs are disabled when TLS 1.3 is enabled (through the AllowTLSV13 property in the qm.ini).

    [z/OS]Queue managers created at IBM MQ for z/OS® 9.2.0 or later enable TLS 1.3 by default, which disables these CipherSpecs. You can enable these CipherSpecs, if required, by turning off TLS V1.3. This is done by adding AllowTLSV13=FALSE to the TransportSecurity stanza of the QMINI data set in the queue manager JCL. Queue managers migrated to IBM MQ for z/OS 9.2.0 from an earlier version don't have TLS 1.3 enabled by default, and therefore have these CipherSpecs enabled.

  4. The maximum handshake key size is 512 bits. If either of the certificates exchanged during the SSL handshake has a key size greater than 512 bits, a temporary 512-bit key is generated for use during the handshake.
  5. These CipherSpecs are no longer supported by IBM MQ classes for Java or IBM MQ classes for JMS. For more information, see SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for Java or SSL/TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS.
  6. The handshake key size is 1024 bits.
  7. [Deprecated]This CipherSpec was FIPS 140-2 certified before 19 May 2007. The name FIPS_WITH_DES_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS compliant. This CipherSpec is deprecated and its use is not recommended.
  8. [Deprecated]The name FIPS_WITH_3DES_EDE_CBC_SHA is historical and reflects the fact that this CipherSpec was previously (but is no longer) FIPS compliant. The use of this CipherSpec is deprecated.
  9. This CipherSpec was FIPS 140-2 certified before 19 May 2007.
  10. Re-enabling just these CipherSpecs does not require the use of the CSQXWEAK DD statement.
  11. [IBM i][MQ 9.4.1 Oct 2024]These CipherSpecs are not enabled on IBM i 7.4 systems that have System Value QSSLCSLCTL set to *OPSSYS.
  12. [MQ 9.4.1 Oct 2024]This CipherSpec cannot be used to secure a connection from the IBM MQ Explorer to a queue manager unless the appropriate unrestricted policy files are applied to the JRE used by the Explorer.
  13. [AIX, Linux, Windows][MQ 9.4.1 Oct 2024]Following a recommendation by GSKit, TLS 1.2 GCM CipherSpecs have a restriction which means that after 2ˆ24.5 TLS records are sent, using the same session key, the connection is terminated with message AMQ9288E. This GCM restriction is active, regardless of the FIPS mode being used.

    To prevent this error from happening, avoid using TLS 1.2 GCM Ciphers, enable secret key reset, or start your IBM MQ queue manager or client with the environment variable GSK_ENFORCE_GCM_RESTRICTION=GSK_FALSE set. For GSKit libraries, you must set this environment variable on both sides of the connection, and apply it to both client to queue manager connections and queue manager to queue manager connections. Note that this setting affects unmanaged .NET clients, but not Java or managed .NET clients. For more information, see AES-GCM cipher restriction.

  14. [MQ 9.4.4 Oct 2025][UNIX, Linux, Windows, IBM i]These CipherSpecs are removed at IBM MQ 9.4.4 on Multiplatforms and cannot be re-enabled.
[MQ 9.4.4 Oct 2025][UNIX, Linux, Windows, IBM i]

Removed CipherSpecs

CipherSpecs that are removed and can no longer be used with IBM MQ for Multiplatforms TLS support are listed in the following table.

Table 2. CipherSpecs removed from IBM MQ
Platform CipherSpec name Hex code Protocol used Update when deprecated
CipherSpecs for SSL 3.0

[IBM i]

 AES_SHA_US 002F SSL 3.0 9.4.4.0

[UNIX, Linux, Windows, IBM i]

 DES_SHA_EXPORT 0009 SSL 3.0 9.4.4.0

[AIX, Linux, Windows]

 DES_SHA_EXPORT1024 0062 SSL 3.0 9.4.4.0

[AIX, Linux, Windows]

 FIPS_WITH_DES_CBC_SHA FEFE SSL 3.0 9.4.4.0

[AIX, Linux, Windows]

 FIPS_WITH_3DES_EDE_CBC_SHA FEFF SSL 3.0 9.4.4.0

[UNIX, Linux, Windows, IBM i]

 NULL_MD5 0001 SSL 3.0 9.4.4.0

[UNIX, Linux, Windows, IBM i]

 NULL_SHA 0002 SSL 3.0 9.4.4.0

[UNIX, Linux, Windows, IBM i]

 RC2_MD5_EXPORT 0006 SSL 3.0 9.4.4.0

[UNIX, Linux, Windows, IBM i]

 RC4_MD5_EXPORT 0003 SSL 3.0 9.4.4.0

[UNIX, Linux, Windows, IBM i]

 RC4_MD5_US 0004 SSL 3.0 9.4.4.0

[UNIX, Linux, Windows, IBM i]

 RC4_SHA_US 0005 SSL 3.0 9.4.4.0

[AIX, Linux, Windows]

 RC4_56_SHA_EXPORT1024 0064 SSL 3.0 9.4.4.0

[UNIX, Linux, Windows, IBM i]

 TRIPLE_DES_SHA_US 000A SSL 3.0 9.4.4.0
CipherSpecs for TLS 1.0

[IBM i]

 TLS_RSA_EXPORT_WITH_RC2_40_MD5 0006 TLS 1.0 9.4.4.0

[IBM i]

 TLS_RSA_EXPORT_WITH_RC4_40_MD5 0003 TLS 1.0 9.4.4.0

[UNIX, Linux, Windows, IBM i]

 TLS_RSA_WITH_DES_CBC_SHA 0009 TLS 1.0 9.4.4.0

[IBM i]

 TLS_RSA_WITH_NULL_MD5 0001 TLS 1.0 9.4.4.0

[IBM i]

 TLS_RSA_WITH_NULL_SHA 0002 TLS 1.0 9.4.4.0

[IBM i]

 TLS_RSA_WITH_RC4_128_MD5 0004 TLS 1.0 9.4.4.0

[AIX, Linux, Windows]

 TLS_RSA_WITH_AES_128_CBC_SHA 002F TLS 1.0 9.4.4.0

[AIX, Linux, Windows]

 TLS_RSA_WITH_AES_256_CBC_SHA 0035 TLS 1.0 9.4.4.0

[UNIX, Linux, Windows, IBM i]

 TLS_RSA_WITH_3DES_EDE_CBC_SHA 000A TLS 1.0 9.4.4.0
CipherSpecs for TLS 1.2

[AIX, Linux, Windows]

 ECDHE_ECDSA_RC4_128_SHA256 C007 TLS 1.2 9.4.4.0

[UNIX, Linux, Windows, IBM i]

 ECDHE_RSA_RC4_128_SHA256 C011 TLS 1.2 9.4.4.0

[AIX, Linux, Windows]

 TLS_RSA_WITH_NULL_NULL 0000 TLS 1.2 9.4.4.0

[UNIX, Linux, Windows, IBM i]

 TLS_RSA_WITH_NULL_SHA256 003B TLS 1.2 9.4.4.0

[AIX, Linux, Windows]

 TLS_RSA_WITH_RC4_128_SHA256 0005 TLS 1.2 9.4.4.0

[AIX, Linux, Windows]

 ECDHE_ECDSA_3DES_EDE_CBC_SHA256 C0008 TLS 1.2 9.4.4.0

[UNIX, Linux, Windows, IBM i]

 ECDHE_RSA_3DES_EDE_CBC_SHA256 C012 TLS 1.2 9.4.4.0
[UNIX, Linux, Windows, IBM i]

Enabling deprecated CipherSpecs on IBM MQ for Multiplatforms

By default, you are not allowed to specify a deprecated or removed CipherSpec on a channel definition. If you attempt to specify a deprecated or removed CipherSpec on IBM MQ for Multiplatforms, you receive message AMQ8242: SSLCIPH definition wrong, and PCF returns MQRCCF_SSL_CIPHER_SPEC_ERROR.

You cannot start a channel with a deprecated or removed CipherSpec. If you attempt to do so with such a CipherSpec, the system returns MQCC_FAILED (2), together with a Reason of MQRC_SSL_INITIALIZATION_ERROR (2393) to the client.

You can re-enable one or more of the deprecated CipherSpecs for defining channels, at runtime on the server, by setting the environment variable AMQ_SSL_WEAK_CIPHER_ENABLE.

The AMQ_SSL_WEAK_CIPHER_ENABLE environment variable accepts:
  • A single CipherSpec name, or
  • A comma separated list of CipherSpec names to re-enable, or
  • The special value of ALL, representing all CipherSpecs.
Attention: Although ALL is a valid option, you should use it only in a specific situation that your enterprise requires, as re-enabling ALL CipherSpecs enables all insecure and weak CipherSpecs.
For example, if you want to re-enable TLS_RSA_WITH_AES_256_CBC_SHA256, set the following environment variable: 
export AMQ_SSL_WEAK_CIPHER_ENABLE=TLS_RSA_WITH_AES_256_CBC_SHA256
or, alternatively change the SSL stanza in the qm.ini file, by setting: 
SSL:
  AllowWeakCipherSpec=TLS_RSA_WITH_AES_256_CBC_SHA256

[MQ 9.4.4 Oct 2025]It is not possible to re-enable removed CipherSpecs.

[MQ 9.4.4 Oct 2025]Note: The SSL .ini stanza attributes AllowSSLV3 and AllowTLSV1 (as well as their environment variable counterparts AMQ_SSL_V3_ENABLE and AMQ_TLS_V1_ENABLE) will always be set as false internally regardless of their user setting.
[z/OS]

Enabling deprecated CipherSpecs on z/OS

By default, you are not allowed to specify a deprecated CipherSpec on a channel definition. If you attempt to specify a deprecated CipherSpec on z/OS, you receive message CSQM102E, message CSQX616E, or CSQX674E.

Follow the instructions listed in this section if you receive any of these messages, and your enterprise needs to re-enable the use of weak CipherSpecs.
Attention: In the following instructions, for the dummy definition (DD) statements to take effect, SSLTASKS must be a non-zero value. If this requires a change to SSLTASKS you must recycle the channel initiator.
On IBM MQ for z/OS, the current method of controlling weak or broken CipherSpecs is as follows:
  • If you want to re-enable the use of weak CipherSpecs, you do so by adding a dummy data definition (DD) statement named CSQXWEAK to the channel initiator JCL. If specified on its own, this only enables weak CipherSpecs associated with the TLS 1.2 protocol; for example:
    //CSQXWEAK DD DUMMY
    Note: Not all deprecated CipherSpecs require the use of this DD statement, see note 10 in the preceding table.
  • If you want to re-enable the use of SSLv3 CipherSpecs, you do so by also adding a dummy DD statement named CSQXSSL3 to the channel initiator JCL. All SSLv3 CipherSpecs are considered Weak, so you must also specify CSQXWEAK:
    //CSQXSSL3 DD DUMMY
  • If you want to re-enable the deprecated TLS V1 CipherSpecs, you do so by adding a dummy DD statement named TLS10ON (turn TLS V1.0 ON) to the channel initiator JCL. If specified on its own, this enables Strong CipherSpecs associated with the TLS 1.0 protocol: 
    //TLS10ON DD DUMMY

    If specified with CSQXWEAK this also enables Weak CipherSpecs associated with TLS 1.0.

  • If you want to explicitly turn off the deprecated TLS V1 CipherSpecs, you do so by adding a dummy DD statement named TLS10OFF (turn TLS V1.0 OFF) to the channel initiator JCL; for example:
    //TLS10OFF DD DUMMY
If you want to only negotiate with the listener using the cipher specifications listed on the System SSL default cipher specification list, you need to define the following DD statement in the CHINIT JCL:
JCL: //GSKDCIPS DD DUMMY
Important: For IBM MQ for z/OS 9.2.0 and later, the previously listed DD cards and the value of AllowTLSV13 are taken into account when displaying messages during channel initiator startup to indicate which protocols are enabled and which are not. So, even if one of the previously listed DD cards is specified, it could mean that, due to a combination of these settings, a certain protocol cannot be enabled with another protocol. For example, protocol SSL 3.0 is not allowed if TLS 1.3 is enabled.

There are alternative mechanisms that can be used to forcibly re-enable weak CipherSpecs, and SSLv3 support, if the Data Definition change is unsuitable. Contact IBM Service for further information.