TLS 2 与 JDk 8 Ciphersuites 与 MQ8?
TLSv2 with JDk8 Ciphersuites with MQ8?
我想了解带有 JDk8 密码套件的 TLSv2 和带有 MQ8 的规范?
我在 unix
上使用 'runmqckm' 命令在 MQ8 上创建了一个 jks 文件
jks 是否依赖于参数“-sig_alg”
上的 Ciphersuites 和 Spec
https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.ref.adm.doc/q083860_.htm
Question on TLSv2 Ciphersuite
SUite<>SPec 组合无法正常工作,如下站点
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm
CipherSpec-TLS_RSA_WITH_AES_128_CBC_SHA256
等效密码套件 - SSL_RSA_WITH_AES_128_CBC_SHA256
协议 - TLSv1.2
兼容 FIPS 140-2 - 是
工作
MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256"
改变通道(TEST.CH)CHLTYPE(SVRCONN)SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
不工作
MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_AES_128_CBC_SHA256";
改变通道(TEST.CH)CHLTYPE(SVRCONN)SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
Only 3 TLS Ciphers i can Test as below , what spec i can use?
Oracle 密码套件
1.TLS_RSA_WITH_NULL_SHA256
2.TLS_RSA_WITH_AES_128_CBC_SHA256
3.TLS_RSA_WITH_AES_256_CBC_SHA256
MQ 规范
1.??
2.TLS_RSA_WITH_AES_128_CBC_SHA256
3.??
Only 1 cipher i can use part of TLS (JDK8 + MQ8)?
工作
TLS_RSA_WITH_AES_128_CBC_SHA256 --> TLS_RSA_WITH_AES_128_CBC_SHA256
不工作
TLS_RSA_WITH_NULL_SHA256 --> TLS_RSA_WITH_NULL_SHA256
ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_NULL_SHA256)
1 : ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_NULL_SHA256)
AMQ8242: SSLCIPH definition wrong.
不工作
TLS_RSA_WITH_AES_256_CBC_SHA256 --> TLS_RSA_WITH_AES_256_CBC_SHA256
MQJE001: Completion Code '2', Reason '2393'.
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2393'.
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:249)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:450)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:487)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:97)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:194)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:868)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:816)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:758)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:200)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:682)
at MQProducerTLS.main(MQProducerTLS.java:89)
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host 'localhost(2017)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.createSocket,5=default]],3=localhost(2017),5=RemoteTCPConnection.makeSocketSecure]
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2282)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1294)
at com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJmqiImpl.java:376)
at com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:560)
at com.ibm.mq.MQSESSION.MQCONNX_j(MQSESSION.java:916)
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:235)
... 10 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.createSocket,5=default]
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:2049)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.connnectUsingLocalAddress(RemoteTCPConnection.java:861)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1277)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:863)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:409)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:305)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1730)
... 15 more
Caused by: java.lang.IllegalArgumentException: Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers
at sun.security.ssl.CipherSuiteList.<init>(CipherSuiteList.java:81)
at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(SSLSocketImpl.java:2461)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:2041)
... 22 more
Update on 20-Feb-2017
当示例代码放置在应用程序中时出现以下授权错误
新问题 link 如下
关于 runmqckm 命令的 -sig_alg 标志,下面的详细信息在您提供的 link 中:
The hashing algorithm used during the creation of a certificate
request, a self-signed certificate, or the signing of a certificate.
This hashing algorithm is used to create the signature associated with
the newly-created certificate or certificate request.
实际上,runmqckm 命令的 -sig_alg 标志与您在 Java 中指定的 CipherSuite 或您在 MQ SVRCONN 通道上指定的 CipherSpec 无关。
在我对您之前问题的回答中“ 我提供了以下信息:
APAR IV66840 中的 table 有此信息:
The following WebSphere MQ CipherSuite to CipherSpec mappings have
been enabled by this APAR for WebSphere MQ v7.1 and v7.5 where the
classes for Java and classes for JMS support SHA-2:
Oracle CipherSuite IBM MQ CipherSpec
TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
如果您按照我提供的 link APAR IV66840 进行操作,您会发现关于 MQ v8.0 的相同类型的信息:
The following WebSphere MQ CipherSuite to CipherSpec mappings
have been enabled by this APAR for WebSphere MQ v8:
CipherSuite --> CipherSpec
...
TLS_RSA_WITH_AES_128_CBC_SHA256 --> TLS_RSA_WITH_AES_128_CBC_SHA256
...
TLS_RSA_WITH_AES_256_CBC_SHA256 --> TLS_RSA_WITH_AES_256_CBC_SHA256
...
TLS_RSA_WITH_NULL_SHA256 --> TLS_RSA_WITH_NULL_SHA256
UPDATE (2017/02/16) to address further questions
问题 1:TLS_RSA_WITH_NULL_SHA256 不工作
回答:TLS_RSA_WITH_NULL_SHA256被认为是一种弱密码规范,因为它不提供数据加密并且在 v8.0 中默认禁用。
如果您真的想使用这个弱密码规范,您可以在启动队列管理器之前设置以下环境变量:
AMQ_SSL_WEAK_CIPHER_ENABLE=TLS_RSA_WITH_NULL_SHA256
或者将以下内容添加到 qm.ini 的 SSL: 节并启动队列管理器:
SSL:
AllowWeakCipherSpec=TLS_RSA_WITH_NULL_SHA256
下面是有关此主题的更多详细信息。
在我对您先前问题的回答中”我提供了以下信息:
There is a very good IBM developerWorks blog post "SSL and TLS Cipher
Specification Deprecations for the MQ
Product"
posted May 19 2016 by Miguel A. Rodriguez that goes into detail about
which ciphers are deprecated in various Fix Packs.
其中 link 指出:
V. With the release IBM MQ V8.0.0.3, SSL and weak TLS Cipher
Specifications continue to be deprecated (disabled), as in the prior
versions mentioned above, but now weak Cipher Specifications require a
new value. This change is for both SSL and weak TLS Cipher
Specifications.
AMQ_SSL_WEAK_CIPHER_ENABLE=Value
or
SSL:
AllowWeakCipherSpec=Value
The accepted values for the environment variable or queue manager configuration setting is as follows:
- A single SSL or Weak TLS Cipher Specification Name.
- A string of SSL or Weak TLS Cipher Specification names delimited by commas.
- The value of "ALL" to enable all SSL and all weak TLS Cipher Specifications.
. . .
VI. Deprecated (disabled) SSL Cipher Specifications and Weak TLS
Cipher Specifications.
NOTE: These are the Cipher Specifications that REQUIRE the environment
variables or qm.ini setting discussed previously, in order to use them
for encrypted communications.
Below is a list of deprecated (disabled) Cipher Specifications
categorized by the protocol, the version, and applicable Operating
System. Details concerning deprecated Cipher Specifications can be
found in product documentation section "Deprecated CipherSpecs."
SSL V3
All CipherSpecs are disabled by default
TLS 1.0
Cipher Specification Operating System
TLS_RSA_EXPORT_WITH_RC2_40_MD5 IBMi
TLS_RSA_EXPORT_WITH_RC4_40_MD5 IBMi
TLS_RSA_WITH_DES_CBC_SHA All Platforms
TLS_RSA_WITH_NULL_MD5 IBMi
TLS_RSA_WITH_NULL_SHA IBMi
TLS_RSA_WITH_RC4_128_MD5 IBMi
TLS 1.2
Cipher Specification Operating System
ECDHE_ECDSA_NULL_SHA256 Linux,Windows,Unix
ECDHE_ECDSA_RC4_128_SHA256 Linux,Windows,Unix
ECDHE_RSA_NULL_SHA256 Linux,Windows,Unix
ECDHE_RSA_RC4_128_SHA256 Linux,Windows,Unix
TLS_RSA_WITH_NULL_NULL Linux,Windows,Unix
TLS_RSA_WITH_NULL_SHA256 All Platforms
TLS_RSA_WITH_RC4_128_SHA256 Linux,Windows,Unix
问题 2:TLS_RSA_WITH_AES_256_CBC_SHA256 不工作
答案:对您之前的问题重复使用相同的答案”我提供了以下信息:
After searching on the error you are receiving I found this dW Answers
post "Why do I get AMQ9771, 2393 SSL Initialization error from a MQ
Java/JMS application when trying to use an TLS AES 256
cipher?".
It states that the following:
In this case, the issue is caused by attempting to use AES 256 strong
cipher algorithms.
Most Java JREs, including Oracle/Sun and IBM's have Import Limits on
Cryptographic Algorithms enabled. This limits the maximum key sizes
and also some algorithms.
When trying to use a AES 256 cipher, such as
ECDHE_RSA_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_CBC_SHA256 with a
MQ Java/JMS application, you need to ensure your JRE supports this
cipher. In most cases, when the stronger cipher algorithms are needed,
such as AES 256 ciphers, the JCE Unlimited Strength Jurisdiction
Policy Files must be obtained and installed in the JDK/JRE.
This is noted in the JDK/JRE documentation: For Oracle 1.7:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
Oracle 站点上面的 link 指出:
If stronger algorithms are needed (for example, AES with 256-bit
keys), the JCE Unlimited Strength Jurisdiction Policy Files
must be
obtained and installed in the JDK/JRE.
It is the user's responsibility to verify that this action is
permissible under local regulations.
我建议您要么使用较低的 CipherSuite
TLS_RSA_WITH_AES_128_CBC_SHA256,或按照上面的建议
获取并安装 JCE Unlimited Strength Jurisdiction Policy
文件.
我想了解带有 JDk8 密码套件的 TLSv2 和带有 MQ8 的规范?
我在 unix
上使用 'runmqckm' 命令在 MQ8 上创建了一个 jks 文件
jks 是否依赖于参数“-sig_alg”
https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.ref.adm.doc/q083860_.htm
Question on TLSv2 Ciphersuite
SUite<>SPec 组合无法正常工作,如下站点
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113220_.htm
CipherSpec-TLS_RSA_WITH_AES_128_CBC_SHA256
等效密码套件 - SSL_RSA_WITH_AES_128_CBC_SHA256
协议 - TLSv1.2
兼容 FIPS 140-2 - 是
工作
MQEnvironment.sslCipherSuite = "TLS_RSA_WITH_AES_128_CBC_SHA256"
改变通道(TEST.CH)CHLTYPE(SVRCONN)SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
不工作
MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_AES_128_CBC_SHA256";
改变通道(TEST.CH)CHLTYPE(SVRCONN)SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
Only 3 TLS Ciphers i can Test as below , what spec i can use?
Oracle 密码套件
1.TLS_RSA_WITH_NULL_SHA256
2.TLS_RSA_WITH_AES_128_CBC_SHA256
3.TLS_RSA_WITH_AES_256_CBC_SHA256
MQ 规范
1.??
2.TLS_RSA_WITH_AES_128_CBC_SHA256
3.??
Only 1 cipher i can use part of TLS (JDK8 + MQ8)?
工作
TLS_RSA_WITH_AES_128_CBC_SHA256 --> TLS_RSA_WITH_AES_128_CBC_SHA256
不工作
TLS_RSA_WITH_NULL_SHA256 --> TLS_RSA_WITH_NULL_SHA256
ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_NULL_SHA256)
1 : ALTER CHANNEL(TEST.CH) CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_NULL_SHA256)
AMQ8242: SSLCIPH definition wrong.
不工作
TLS_RSA_WITH_AES_256_CBC_SHA256 --> TLS_RSA_WITH_AES_256_CBC_SHA256
MQJE001: Completion Code '2', Reason '2393'.
com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2393'.
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:249)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:450)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:487)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:97)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:194)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:868)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:816)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:758)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:200)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:682)
at MQProducerTLS.main(MQProducerTLS.java:89)
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host 'localhost(2017)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.createSocket,5=default]],3=localhost(2017),5=RemoteTCPConnection.makeSocketSecure]
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2282)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1294)
at com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJmqiImpl.java:376)
at com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:560)
at com.ibm.mq.MQSESSION.MQCONNX_j(MQSESSION.java:916)
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:235)
... 10 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentException[Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers],3=localhost/127.0.0.1:2017 (localhost),4=SSLSocket.createSocket,5=default]
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:2049)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.connnectUsingLocalAddress(RemoteTCPConnection.java:861)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1277)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:863)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:409)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:305)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1730)
... 15 more
Caused by: java.lang.IllegalArgumentException: Cannot support TLS_RSA_WITH_AES_256_CBC_SHA256 with currently installed providers
at sun.security.ssl.CipherSuiteList.<init>(CipherSuiteList.java:81)
at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(SSLSocketImpl.java:2461)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:2041)
... 22 more
Update on 20-Feb-2017
当示例代码放置在应用程序中时出现以下授权错误 新问题 link 如下
关于 runmqckm 命令的 -sig_alg 标志,下面的详细信息在您提供的 link 中:
The hashing algorithm used during the creation of a certificate request, a self-signed certificate, or the signing of a certificate. This hashing algorithm is used to create the signature associated with the newly-created certificate or certificate request.
实际上,runmqckm 命令的 -sig_alg 标志与您在 Java 中指定的 CipherSuite 或您在 MQ SVRCONN 通道上指定的 CipherSpec 无关。
在我对您之前问题的回答中“
APAR IV66840 中的 table 有此信息:
The following WebSphere MQ CipherSuite to CipherSpec mappings have been enabled by this APAR for WebSphere MQ v7.1 and v7.5 where the classes for Java and classes for JMS support SHA-2:
Oracle CipherSuite IBM MQ CipherSpec TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
如果您按照我提供的 link APAR IV66840 进行操作,您会发现关于 MQ v8.0 的相同类型的信息:
The following WebSphere MQ CipherSuite to CipherSpec mappings have been enabled by this APAR for WebSphere MQ v8:
CipherSuite --> CipherSpec ... TLS_RSA_WITH_AES_128_CBC_SHA256 --> TLS_RSA_WITH_AES_128_CBC_SHA256 ... TLS_RSA_WITH_AES_256_CBC_SHA256 --> TLS_RSA_WITH_AES_256_CBC_SHA256 ... TLS_RSA_WITH_NULL_SHA256 --> TLS_RSA_WITH_NULL_SHA256
UPDATE (2017/02/16) to address further questions
问题 1:TLS_RSA_WITH_NULL_SHA256 不工作
回答:TLS_RSA_WITH_NULL_SHA256被认为是一种弱密码规范,因为它不提供数据加密并且在 v8.0 中默认禁用。
如果您真的想使用这个弱密码规范,您可以在启动队列管理器之前设置以下环境变量:
AMQ_SSL_WEAK_CIPHER_ENABLE=TLS_RSA_WITH_NULL_SHA256
或者将以下内容添加到 qm.ini 的 SSL: 节并启动队列管理器:
SSL:
AllowWeakCipherSpec=TLS_RSA_WITH_NULL_SHA256
下面是有关此主题的更多详细信息。
在我对您先前问题的回答中
There is a very good IBM developerWorks blog post "SSL and TLS Cipher Specification Deprecations for the MQ Product" posted May 19 2016 by Miguel A. Rodriguez that goes into detail about which ciphers are deprecated in various Fix Packs.
其中 link 指出:
V. With the release IBM MQ V8.0.0.3, SSL and weak TLS Cipher Specifications continue to be deprecated (disabled), as in the prior versions mentioned above, but now weak Cipher Specifications require a new value. This change is for both SSL and weak TLS Cipher Specifications.
AMQ_SSL_WEAK_CIPHER_ENABLE=Value or SSL: AllowWeakCipherSpec=ValueThe accepted values for the environment variable or queue manager configuration setting is as follows:
- A single SSL or Weak TLS Cipher Specification Name.
- A string of SSL or Weak TLS Cipher Specification names delimited by commas.
- The value of "ALL" to enable all SSL and all weak TLS Cipher Specifications.
. . .
VI. Deprecated (disabled) SSL Cipher Specifications and Weak TLS Cipher Specifications.
NOTE: These are the Cipher Specifications that REQUIRE the environment variables or qm.ini setting discussed previously, in order to use them for encrypted communications.
Below is a list of deprecated (disabled) Cipher Specifications categorized by the protocol, the version, and applicable Operating System. Details concerning deprecated Cipher Specifications can be found in product documentation section "Deprecated CipherSpecs."
SSL V3
All CipherSpecs are disabled by default
TLS 1.0
Cipher Specification Operating System
TLS_RSA_EXPORT_WITH_RC2_40_MD5 IBMi
TLS_RSA_EXPORT_WITH_RC4_40_MD5 IBMi
TLS_RSA_WITH_DES_CBC_SHA All Platforms
TLS_RSA_WITH_NULL_MD5 IBMi
TLS_RSA_WITH_NULL_SHA IBMi
TLS_RSA_WITH_RC4_128_MD5 IBMi
TLS 1.2
Cipher Specification Operating System
ECDHE_ECDSA_NULL_SHA256 Linux,Windows,Unix
ECDHE_ECDSA_RC4_128_SHA256 Linux,Windows,Unix
ECDHE_RSA_NULL_SHA256 Linux,Windows,Unix
ECDHE_RSA_RC4_128_SHA256 Linux,Windows,Unix
TLS_RSA_WITH_NULL_NULL Linux,Windows,Unix
TLS_RSA_WITH_NULL_SHA256 All Platforms
TLS_RSA_WITH_RC4_128_SHA256 Linux,Windows,Unix
问题 2:TLS_RSA_WITH_AES_256_CBC_SHA256 不工作
答案:对您之前的问题重复使用相同的答案
After searching on the error you are receiving I found this dW Answers post "Why do I get AMQ9771, 2393 SSL Initialization error from a MQ Java/JMS application when trying to use an TLS AES 256 cipher?". It states that the following:
In this case, the issue is caused by attempting to use AES 256 strong cipher algorithms.
Most Java JREs, including Oracle/Sun and IBM's have Import Limits on Cryptographic Algorithms enabled. This limits the maximum key sizes and also some algorithms.
When trying to use a AES 256 cipher, such as ECDHE_RSA_AES_256_CBC_SHA384 or TLS_RSA_WITH_AES_256_CBC_SHA256 with a MQ Java/JMS application, you need to ensure your JRE supports this cipher. In most cases, when the stronger cipher algorithms are needed, such as AES 256 ciphers, the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE.
This is noted in the JDK/JRE documentation: For Oracle 1.7:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
Oracle 站点上面的 link 指出:
If stronger algorithms are needed (for example, AES with 256-bit keys), the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE.
It is the user's responsibility to verify that this action is permissible under local regulations.
我建议您要么使用较低的 CipherSuite
TLS_RSA_WITH_AES_128_CBC_SHA256,或按照上面的建议 获取并安装 JCE Unlimited Strength Jurisdiction Policy 文件.