CipherSpec mismatches
Both ends of a WebSphere® MQ SSL channel must use the same CipherSpec. Mismatches can be detected during the SSL handshake or during channel startup.
A CipherSpec identifies the combination of the encryption algorithm and hash function. Both ends of a WebSphere MQ SSL channel must use the same CipherSpec, although they can specify that CipherSpec in a different manner. Mismatches can be detected at two stages:
- During the SSL handshake
- The SSL handshake fails when the CipherSpec specified by the SSL
client is unacceptable to the SSL support at the SSL server end of
the connection. A CipherSpec failure during the SSL handshake arises
when the SSL client proposes a CipherSpec that is not supported by
the SSL provision on the SSL server. For example, when an SSL client
running on AIX® proposes the
DES_SHA_EXPORT1024
CipherSpec to an SSL server running on IBM® i. - During channel startup
- Channel startup fails when there is a mismatch between the CipherSpec
defined for the responding end of the channel and the CipherSpec defined
for the calling end of channel. Channel startup also fails when only
one end of the channel defines a CipherSpec.
See Specifying CipherSpecs for more information.
Note: If Global Server Certificates are used, a mismatch can be detected during channel startup even if the CipherSpecs specified on both channel definitions match.Global Server Certificates are a special type of certificate which require that a minimum level of encryption is established on all the communications links with which they are used. If the CipherSpec requested by the WebSphere MQ channel configuration does not meet this requirement, the CipherSpec is renegotiated during the SSL handshake. This is detected as a failure during WebSphere MQ channel startup as the CipherSpec no longer matches the one specified on the channel.
In this case, change the CipherSpec at both sides of the channel to one which meets the requirements of the Global Server Certificate. To establish whether a certificate that has been issued to you is a Global Server Certificate, contact the certificate authority which issued that certificate.
SSL servers do not detect mismatches when an SSL client
channel on UNIX, Linux® or Windows systems
specifies the DES_SHA_EXPORT1024
CipherSpec, and
the corresponding SSL server channel on UNIX, Linux or
Windows systems
is using the DES_SHA_EXPORT
CipherSpec. In this case,
the channel runs normally.