In IBM WebSphere MQ, can you disable TLSv1.0 and TLSv1.1 SSL ciphers / protocols?
https://developer.ibm.com/answers/questions/213076/in-ibm-websphere-mq-can-you-disable-tlsv10-and-tls.htmIn IBM WebSphere MQ, can you disable TLSv1.0 and TLSv1.1 SSL ciphers / protocols?
In IBM WebSphere MQ, can you disable TLSv1.0 and TLSv1.1 SSL ciphers / protocols?
Accepted answer
As you probably know, the latest updates to MQ are deprecating (disabling) the use of SSLv3 ciphers (and some "weak" TLS ciphers) due to known security vulnerabilities. Several customers have asked about disabling TLSv1.0 and TLSv1.1 ciphers also.
*There is a new APAR which allows disabling TLSv1.0 ciphers at the listener level in the latest maintenance releases of MQ v8 and v9. This is enabled via a qm.ini setting, see:
SSL:AllowTLSV1=NO
Before that APAR, TLSv1 could not be disabled at the listener level, but you could still configure MQ to only allow channel communications on certain ciphers.
The simplest way to disable TLSv1.0 & TLSv1.1 protocols would be to set a TLSv1.2 cipherspec in the channel definition. The queue manager will only allow that cipherspec to be used which was configured on the channel; thus if you configure your channels with TLSv1.2 ciphers, that would mean that TLSv1.0 & TLSv1.1 protocols being disabled.
There is another way to disable TLSv1.0 protocol which is by enabling Suite B mode. The GSKit docs state that Suite B will disable all protocols except TLSv1.2. Information on Suite B implementation is here:
The configuration of Suite B mode is given in the following link:
To have a look at the list of cipherspecs and the corresponding protocols used by them, follow the below link:
Update: MQ/SSL connections can not disabled at MQ listener level, the options noted above cause the MQ channel to fail to start unless using an adequate cipher, but they do not disable the MQ listener process from initially receiving the TLSv1.0 session.
I hope this helps. Please add comments or info.
Related info:
Deprecation: SSLv3 protocol ( MQ v7.0.1.13, v7.1.0.7, v7.5.0.5, v8.0.0.2 )
http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.pro.doc/q123420_.htm?lang=en
http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.pro.doc/q123420_.htm?lang=en
Deprecation: Weak Ciphers deprecated ( MQ v7.0.1.13, v7.1.0.7, v7.5.0.6, v8.0,0.3 )
http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.pro.doc/q123425_.htm?lang=en
http://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.pro.doc/q123425_.htm?lang=en
We have some problems regarding the suggestions.
Set a TLSv1.2 cipherspec in the channel definition doesn't mean the TLS 1.0 and TLS 1.1 will be disable. We did the test and they are enable.
Set SUITEB on queue manager will force the ciphers TLS 1.2 with elliptic curve. Unfortunately, ciphers with elliptic curve are vulnerable too. http://www-01.ibm.com/support/docview.wss?uid=swg21688949
Do we have any other option to disable the TLS 1.0 and TLS 1.1?
Before APAR IT23235 (noted above), by default MQ would accept the TLS 1.0 connection and then disconnect it if it requests a channel that requires TLS 1.2.
There was no way to disable TLS 1.0/1.1 completely short off the SUITEB setting noted above..
There was no way to disable TLS 1.0/1.1 completely short off the SUITEB setting noted above..
If there is a need to fully disable TLS 1.0/1.1 the recommendation is to create an Enhancement requests at the following website:
Select 'IBM MQ', then can search or submit new requests.
