We're busy setting up TLS 1.2 encryption for WebSphere MQ 8, forcing all connections ( from WebSphere Application Server, IBM Integration Bus etc. ) to be encrypted, via a dedicated SVRCONN Channel.
The MQ setup script includes the following: -
...
QMGR=TESTQM
QMGRPORT=1420
MQCIPHERSPEC=TLS_RSA_WITH_AES_128_CBC_SHA256
QMGRPORT=1420
MQCIPHERSPEC=TLS_RSA_WITH_AES_128_CBC_SHA256
echo "DEFINE CHANNEL(TEST.QMGR.SVRCONN) CHLTYPE(SVRCONN) SSLCIPH("$MQCIPHERSPEC") REPLACE" | runmqsc $QMGR
echo "ALTER CHANNEL(TEST.QMGR.SVRCONN) CHLTYPE(SVRCONN) SSLCAUTH(OPTIONAL)" | runmqsc $QMGR
echo "DIS CHANNEL(TEST.QMGR.SVRCONN) CHLTYPE(SVRCONN)" | runmqsc $QMGR
...
echo "ALTER CHANNEL(TEST.QMGR.SVRCONN) CHLTYPE(SVRCONN) SSLCAUTH(OPTIONAL)" | runmqsc $QMGR
echo "DIS CHANNEL(TEST.QMGR.SVRCONN) CHLTYPE(SVRCONN)" | runmqsc $QMGR
...
meaning that connectivity to this specific Channel will use the TLS_RSA_WITH_AES_128_CBC_SHA256 cipher.
Having completed the configuration, I wanted to validate the connectivity, using OpenSSL, which is built into my server's OS ( Red Hat Enterprise Linux ).
openssl s_client -tls1_2 -connect `hostname`:1420
CONNECTED(00000003)
depth=0 CN = bpm856.uk.ibm.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bpm856.uk.ibm.com
verify return:1
---
Certificate chain
0 s:/CN=bpm856.uk.ibm.com
i:/CN=bpm856.uk.ibm.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB2zCCAUSgAwIBAgIEVfA5qjANBgkqhkiG9w0BAQUFADAcMRowGAYDVQQDExFi
cG04NTYudWsuaWJtLmNvbTAeFw0xNTA5MDkxMzUyNDJaFw0zNTA5MDQxMzUyNDJa
MBwxGjAYBgNVBAMTEWJwbTg1Ni51ay5pYm0uY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCjEQKO/DA4y1gIv0wosNiAQx/V5vqaQHW8pEgy+mzJ/wcCdDRm
lqtm/E4JtAlbway70+OPdunKRMF54zizttXSWiDxrjFM8MRXJKGEsQfo2RpsKpUf
1YC0TRE8FUiUUCLIQmpLJ1aeW5RoxOxTQQwn97Rp0ULj7nq95anxgFuzDQIDAQAB
oyowKDATBgNVHSMEDDAKgAgPevSoHR450jARBgNVHQ4ECgQID3r0qB0eOdIwDQYJ
KoZIhvcNAQEFBQADgYEALGop6W2G8W/vlyf/0zBzZ0SupScUVQ875CIqE8Dm3wW6
pBn7HTDBGLIESJ4oQ0CdseiJEStBxmBtW4klotgL0A9C3nh2WNnSOxs1W1UqgCBB
fPQdWHU7iwogplgdfyb0xgWbwiobRoej8aOxMgL2yOyoojxFgspHrmMySEAjQvw=
-----END CERTIFICATE-----
subject=/CN=bpm856.uk.ibm.com
issuer=/CN=bpm856.uk.ibm.com
---
Acceptable client certificate CA names
/CN=bpm856.uk.ibm.com
---
SSL handshake has read 742 bytes and written 491 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA256
Session-ID: 835400002792AB6982E40F6F59B50F396703953B58585858D875F0550000000A
Session-ID-ctx:
Master-Key: D20745FE1E201620E7EC9B209D2858059E5CC7D2A68AE7D8B40CACAFED2767B891A9330156EAB5F9E46E151D3BCA3B27
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1441822168
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
To further ensure that I could only connect with one cipher, I narrowed down my OpenSSL command: -
depth=0 CN = bpm856.uk.ibm.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bpm856.uk.ibm.com
verify return:1
---
Certificate chain
0 s:/CN=bpm856.uk.ibm.com
i:/CN=bpm856.uk.ibm.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB2zCCAUSgAwIBAgIEVfA5qjANBgkqhkiG9w0BAQUFADAcMRowGAYDVQQDExFi
cG04NTYudWsuaWJtLmNvbTAeFw0xNTA5MDkxMzUyNDJaFw0zNTA5MDQxMzUyNDJa
MBwxGjAYBgNVBAMTEWJwbTg1Ni51ay5pYm0uY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCjEQKO/DA4y1gIv0wosNiAQx/V5vqaQHW8pEgy+mzJ/wcCdDRm
lqtm/E4JtAlbway70+OPdunKRMF54zizttXSWiDxrjFM8MRXJKGEsQfo2RpsKpUf
1YC0TRE8FUiUUCLIQmpLJ1aeW5RoxOxTQQwn97Rp0ULj7nq95anxgFuzDQIDAQAB
oyowKDATBgNVHSMEDDAKgAgPevSoHR450jARBgNVHQ4ECgQID3r0qB0eOdIwDQYJ
KoZIhvcNAQEFBQADgYEALGop6W2G8W/vlyf/0zBzZ0SupScUVQ875CIqE8Dm3wW6
pBn7HTDBGLIESJ4oQ0CdseiJEStBxmBtW4klotgL0A9C3nh2WNnSOxs1W1UqgCBB
fPQdWHU7iwogplgdfyb0xgWbwiobRoej8aOxMgL2yOyoojxFgspHrmMySEAjQvw=
-----END CERTIFICATE-----
subject=/CN=bpm856.uk.ibm.com
issuer=/CN=bpm856.uk.ibm.com
---
Acceptable client certificate CA names
/CN=bpm856.uk.ibm.com
---
SSL handshake has read 742 bytes and written 491 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA256
Session-ID: 835400002792AB6982E40F6F59B50F396703953B58585858D875F0550000000A
Session-ID-ctx:
Master-Key: D20745FE1E201620E7EC9B209D2858059E5CC7D2A68AE7D8B40CACAFED2767B891A9330156EAB5F9E46E151D3BCA3B27
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1441822168
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
To further ensure that I could only connect with one cipher, I narrowed down my OpenSSL command: -
openssl s_client -tls1_2 -connect `hostname`:1420 -cipher 'TLS_RSA_WITH_AES_128_CBC_SHA256'
which returned: -
error setting cipher list
140245232068424:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1314:
140245232068424:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1314:
( Note that I'd specified the actual cipher - TLS_RSA_WITH_AES_128_CBC_SHA256 - in the command )
I then checked the online man page for the -ciphers option: -
which did the trick: -
openssl s_client -tls1_2 -connect `hostname`:1420 -cipher 'AES128-SHA256'
returns: -
...
CONNECTED(00000003)
...
CONNECTED(00000003)
...
SSL handshake has read 736 bytes and written 343 bytes
Cipher : AES128-SHA256
...
New, TLSv1/SSLv3, Cipher is AES128-SHA256...
Protocol : TLSv1.2Cipher : AES128-SHA256
...