Home > Enterprise >  AMQ9631E: The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec
AMQ9631E: The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec

Time:11-07

Attempts to connect to IBM MQ queues.

Below is the code responsible for creating the connection:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
IConnection connectionMQ;

factoryFactory = XMSFactoryFactory.GetInstance(XMSC.CT_WMQ);
IConnectionFactory cf = factoryFactory.CreateConnectionFactory();

cf.SetStringProperty(XMSC.WMQ_HOST_NAME, "host");
cf.SetIntProperty(XMSC.WMQ_PORT, port);
cf.SetStringProperty(XMSC.WMQ_CHANNEL, "channel");
cf.SetIntProperty(XMSC.WMQ_CONNECTION_MODE, XMSC.WMQ_CM_CLIENT);
cf.SetStringProperty(XMSC.WMQ_QUEUE_MANAGER, "queueManager"); 
cf.SetStringProperty(XMSC.WMQ_SSL_PEER_NAME, "sslPeerName"); 
cf.SetStringProperty(XMSC.WMQ_SSL_CIPHER_SPEC, "TLS_RSA_WITH_AES_256_CBC_SHA256"); 
cf.SetStringProperty(XMSC.WMQ_CCSID, "ccSid");
cf.SetStringProperty(XMSC.WMQ_SSL_KEY_REPOSITORY, "*USER");
cf.SetStringProperty(XMSC.WMQ_SSL_CLIENT_CERT_LABEL, "clientCertLabel");

connectionMQ = cf.CreateConnection();

Error visible on the server side:

AMQ9631E: The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec for channel 'channel'.

EXPLANATION: There is a mismatch between the CipherSpecs on the local and remote ends of channel 'channel'. The channel will not run until this mismatch is resolved. The CipherSpec required in the local channel definition is 'TLS_RSA_WITH_AES_256_CBC_SHA256'. The name of the CipherSpec negotiated during the SSL handshake is 'TLS_RSA_WITH_AES_256_GCM_SHA384'. A code is displayed if the name of the negotiated CipherSpec cannot be determined. ACTION: Change the channel definitions for 'channel' so the two ends have matching CipherSpecs and restart the channel. When using the 'ANY' type CipherSpecs ensure that the Client CipherSpec value would meet the requirements for the 'TLS_RSA_WITH_AES_256_CBC_SHA256' CipherSpec set on the channel 'channel'. If the client is set to use the 'ANY' type CipherSpecs then the TLS handshake may use a higher protocol than is allowed by the channel channel definition CipherSpec. If the certificate in use by one end of the channel is a Global Server Certificate, then the negotiated CipherSpec may not match that specified on either end of the channel. This is because the SSL protocol allows a Global Server Certificate to automatically negotiate a higher level of encryption. In these cases specify a CipherSpec which meets the requirements of the Global Server Certificate.

Why, despite the fact that via .net I pass TLS_RSA_WITH_AES_256_CBC_SHA256, you can see TLS_RSA_WITH_AES_256_GCM_SHA384 in the server-side logs?

Client is on redhat.

CodePudding user response:

For IBM MQ/XMS .NET Clients, the Cipher Set at the application level is used to determine the TLS version only. Client Running on Windows: IBM MQ/XMS .NET client rely on the Microsoft's SSLStreams for SSL Communication.To set a preferred Cipher the Windows Group Policy has to be enabled and edited to use a specific Cipher. After it is enabled and edited the machine has to be restarted to pickup the changes. Please note that the change in the Windows Group Policy is applicable to all the applications running on the Machine.

Following KC page has more information on it https://www.ibm.com/docs/en/ibm-mq/9.1?topic=client-cipherspec-support-managed-net

For a client running on Linux On Linux .NET uses openssl for SSL Communications, so to set the CipherSpec preferences the Openssl config file has to be edited

  • Related