CipherSpec values supported in IBM WebSphere MQ
The set of default CipherSpecs allows only the following values:
- TLS 1.0
-
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS 1.2
-
- ECDHE_ECDSA_AES_128_CBC_SHA256
- ECDHE_ECDSA_AES_256_CBC_SHA384
- ECDHE_ECDSA_AES_128_GCM_SHA256
- ECDHE_ECDSA_AES_256_GCM_SHA384
- ECDHE_RSA_AES_128_CBC_SHA256
- ECDHE_RSA_AES_256_CBC_SHA384
- ECDHE_RSA_AES_128_GCM_SHA256
- ECDHE_RSA_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
Enabling deprecated CipherSpecs
By default, you are not allowed to specify a deprecated CipherSpec on a channel definition. If you attempt to specify a deprecated CipherSpec, you receive message AMQ9788 in the error log for the queue manager.
It is possible for you to re-enable the deprecated CipherSpecs by editing the
qm.ini file. Within the SSL stanza of the qm.ini file, add the
following line:SSL:
AllowWeakCipherSpec=YesYou can also re-enable one or more of the deprecated CipherSpecs at runtime on the server by
setting the environment variable AMQ_SSL_WEAK_CIPHER_ENABLE to any value. This
environment variable enables the CipherSpecs regardless of the value that is specified in the
qm.ini file.