In the 9.1.4 Announcement letter we announced several Statements of Direction with one focussed on the deprecated SSL v3 and TLS v1.0 Ciphers:
The next Long Term Support (LTS) release of IBM is to be the last to provide SSL v3 and TLS v1.0 support. The plan is to remove support in a future CD release after that.
For customers who have already updated their TLS configuration to stop using SSLv3 and TLS 1.0 Ciphers this change will have no impact. However, if you are still using SSLv3 and TLS v1.0 then you need to be aware that in a future LTS release these Ciphers will not be supported by IBM MQ.
The SSL v3 and TLS v1.0 Ciphers have been disabled by default for a number of years and continued support across the industry is starting to fade. In addition, TLS v1.3 disallows SSL v3 and a large portion of TLS v1.0 ciphers from being used. For these reasons a move to remove the ciphers from support in IBM MQ is being made.
How long until the Ciphers are no longer available?
The statement of direction states that the next LTS release will be the last to support SSL v3 & TLS v1.0.
Our Long Term Support and Continuous delivery FAQ also states the following: “The exact duration between releases is not fixed but the expected frequency is LTS releases approximately every two years and CD releases every few months.”
The last LTS release (9.1) was released in July 2018, so a new LTS release could be as soon as the middle of 2020. Assuming this LTS release has the same Standard Support model of 5 years standard, 3 years support then SSL v3 and TLS 1.0 will no longer be available in IBM MQ after this release goes out of support. Which would then mean that SSL v3 and TLS v1.0 may no longer be available in Supported Releases of IBM MQ from 2025 for standard support and 2028 for Extended Support. Of course these dates are estimates and subject to change, but hopefully this gives a rough estimate to determine when you would need to have migrated away from these Ciphers.
I have concerns and would like to discuss this with someone
We realise that this move will be disruptive for some customers and these customers may wish to discuss it with someone from the development department. In this case I would suggest a few options for starting the conversation with us. If you’re willing and able to share your concerns publicly then a comment on this post would allow us to respond publicly so others with similar concerns can quickly get a response. Of course this may not be appropriate for everyone in which case I would suggest:
- Reaching out to your IBM MQ Lab Advocate.
- Reaching out to me directly via email at (firstname.lastname@example.org)