I have created a support case with IBM about this and they have confirmed that there is a bug in this product. Thanks for the suggestion @Kok Wai Leung I haven't had the time to try your approach. Besides I think I should not have to change server configuration if I update the client library that is supposed to be compatible with previous server config.
Original Message:
Sent: Tue August 15, 2023 02:32 AM
From: Kok Wai Leung
Subject: IBM XMS Managed Client TLS 1.2 connection error after Nuget update from 9.3.2.1 to 9.3.3
Try the following:
At the SVRCONN channel definition, set the SSLCIPH to ANY_TLS12 (not the ANY_TLS12_OR_HIGHER). Then re-test the connection from the .Net client using any of the TLS 1.2 cipherspec, e.g. TLS_RSA_WITH_AES_256_CBC_SHA256 or TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
If you want to use TLS 1.3 cipherspec, your Windows machine must be using Windows 11 or Windows Server 2022.
------------------------------
Kok Wai Leung
Original Message:
Sent: Mon August 14, 2023 09:28 AM
From: Bjarki Björgúlfsson
Subject: IBM XMS Managed Client TLS 1.2 connection error after Nuget update from 9.3.2.1 to 9.3.3
Maybe I wasn't very clear in my previous reply, I apologize. What I was trying to say is that I tested all the cipher specs in the mapping table, both 1.3 and 1.2. The specs you are referring to are a part of the list.
In short, with version 9.3.2.1 the following are the only ones that work with 1.3 specs included:
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
But with version 9.3.3 non of the 1.2 or 1.3 specs in the table work.
------------------------------
Bjarki Björgúlfsson
Original Message:
Sent: Mon August 14, 2023 08:10 AM
From: Francois Brandelik
Subject: IBM XMS Managed Client TLS 1.2 connection error after Nuget update from 9.3.2.1 to 9.3.3
Don't do that. SHA or SHA1 as it is also called is deprecated.
If you can avoid it don't use CBC.
at TLS 1.2 use this one TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
or at TLS 1.3 use this one TLS_AES_256_GCM_SHA384
It could well be that the .net version won't allow you to use any deprecated ciphers, even if they are/were TLS 1.2
------------------------------
Francois Brandelik
Original Message:
Sent: Mon August 14, 2023 07:48 AM
From: Bjarki Björgúlfsson
Subject: IBM XMS Managed Client TLS 1.2 connection error after Nuget update from 9.3.2.1 to 9.3.3
Thanks for the reply,
Based on Cipher specs listed here:
CipherSpec mappings for the managed .NET client - IBM Documentation
In brief I get the following errors when testing the TLS cipher specs in the list:
TLS 1.2 with 9.3.3
For:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
I Get CompCode: 2 Reason: 2393 with message The client and server cannot communicate, because they do not possess a common algorithm.
For the rest of the 1.2 specs I get the same trace error as in my original post with no helpful error message.
TLS 1.3 with 9.3.3 and 9.3.2.1
I basically get the same trace log when testing the 1.3 cipher specs with versions 9.3.3. and 9.3.2.1
Difference is 9.3.3. throws CompCode: 2 Reason: 2393 but 9.3.2.1 throws CompCode: 2 Reason: 2538
But the exception message is the same:
System.ComponentModel.Win32Exception (0x80090308): The token supplied to the function is invalid
------------------------------
Bjarki Björgúlfsson
Original Message:
Sent: Mon August 14, 2023 02:42 AM
From: Francois Brandelik
Subject: IBM XMS Managed Client TLS 1.2 connection error after Nuget update from 9.3.2.1 to 9.3.3
Have you tried switching from TLS_RSA_WITH_AES_128_CBC_SHA256 to something like TLS_RSA_WITH_AES_256_GCM_SHA384 ?
There was a note somewhere in the SSL stuff that the CBC stuff wasn't that secure anymore.
You could also try something like this (from memory) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ....
Or go completely TLS 1.3 with TLS_AES_256_GCM_SHA384...
Hope it helps
------------------------------
Francois Brandelik
Original Message:
Sent: Fri August 11, 2023 01:35 PM
From: Bjarki Björgúlfsson
Subject: IBM XMS Managed Client TLS 1.2 connection error after Nuget update from 9.3.2.1 to 9.3.3
Greetings,
I'm having trouble when I update client nuget package from 9.3.2.1 to 9.3.3:
NuGet Gallery | IBMXMSDotnetClient 9.3.3
I'm running .net 6 client side on Windows. MQ Server version 09020003 is running on Linux
The channel SSL Cipher Spec is ANY_TLS12_OR_HIGHER server side:
I'm using TLS_RSA_WITH_AES_128_CBC_SHA256 cipher spec client side. Signature algorithm on certificate is sha256RSA public key is RSA 2048 bits
Everything works fine when using 9.3.2.1 but after upgrade I get MQException CompCode: 2 Reason: 2393. My system administrator tells me that there are no errors found server side so it looks like it is a client issue. Below is the SSL Authentication section before and after the update from trace:
Before:
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- > MakeSecuredConnection() entry
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Created an instance of SSLStreams
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Setting current certificate store as 'User'
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Windows/Mac so use My Store & CurrentStore
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Created store object to access certificates
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Opened store
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Accessing certificate - ibmwebspheremq***** (sensored user name)
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d TLS12 supported - True
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d TLS13 supported - True
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Cipherspec protocol version:TLS 1.2
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Setting SslProtol as Tls12
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Starting SSL Authentication
IBM.WMQ.MQClientCfg ----+----+ > GetStringValue(StringCfgProperty) entry
IBM.WMQ.MQClientCfg ----+----+ < GetStringValue(StringCfgProperty) rc=OK exit
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Server name is set to rb5f-pay5f-inst.chl.mq.ibm.com
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ > FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) entry
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ d Client callback has been invoked to find client certificate
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ < FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK exit
----+---- I ASSEMBLY LOADED: System.Security.Principal.Windows, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
----+---- I Loaded from File System.
----+---- I .NET Runtime Version: v4.0.30319
----+---- I Informational Version: 6.0.21+e40b3abf1b41621d4298642a5fd300ebf7cccf6d
----+---- I Codebase: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.21\System.Security.Principal.Windows.dll
----+---- I Assembly Description: Internal implementation package not meant for direct consumption. Please do not reference directly
----+---- I ASSEMBLY LOADED: System.Security.Claims, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
----+---- I Loaded from File System.
----+---- I .NET Runtime Version: v4.0.30319
----+---- I Informational Version: 6.0.21+e40b3abf1b41621d4298642a5fd300ebf7cccf6d
----+---- I Codebase: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.21\System.Security.Claims.dll
----+---- I Assembly Description: System.Security.Claims
----+---- I ASSEMBLY LOADED: System.Security.Cryptography.Encoding, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3
----+---- I Loaded from File System.
----+---- I .NET Runtime Version: v4.0.30319
----+---- I Informational Version: 6.0.21+e40b3abf1b41621d4298642a5fd300ebf7cccf6d
----+---- I Codebase: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.21\System.Security.Cryptography.Encoding.dll
----+---- I Assembly Description: Internal implementation package not meant for direct consumption. Please do not reference directly
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ > FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) entry
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ d Client callback has been invoked to find client certificate
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ d Use the first certificate that is from an acceptable issuer.
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ < FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK exit
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ > ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) entry
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ d Client did not specify a SSLPEERNAME, hence SSLPeerNameMatching not done
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ < ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OK exit
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d SSL Authentication completed
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- < MakeSecuredConnection() rc=OK exit
IBM.WMQ.MQTCPConnection ----+--- < ConnectSocket(string,string,MQLONG) rc=OK exit
IBM.WMQ.MQTCPConnection ----+-- d Protocol connected..for this connection request.
After:
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- > MakeSecuredConnection() entry
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Created an instance of SSLStreams
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Setting current certificate store as 'User'
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Windows/Mac so use My Store & CurrentStore
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Created store object to access certificates
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Opened store
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Accessing certificate - ibmwebspheremq***** (sensored user name)
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d TLS12 supported - True
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d TLS13 supported - True
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Cipherspec protocol version:TLS 1.2
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Setting SslProtol as Tls12
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Starting SSL Authentication
IBM.WMQ.MQClientCfg ----+----+ > GetStringValue(StringCfgProperty) entry [o] IBM.WMQ.MQClientCfg+StringCfgProperty
IBM.WMQ.MQClientCfg ----+----+ < GetStringValue(StringCfgProperty) rc=OK exit
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Server name is set to rb5f-pay5f-inst.chl.mq.ibm.com
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ > FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) entry
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ d Client callback has been invoked to find client certificate
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ < FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK exit
----+---- I ASSEMBLY LOADED: System.Security.Principal.Windows, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
----+---- I Loaded from File System.
----+---- I .NET Runtime Version: v4.0.30319
----+---- I Informational Version: 6.0.21+e40b3abf1b41621d4298642a5fd300ebf7cccf6d
----+---- I Codebase: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.21\System.Security.Principal.Windows.dll
----+---- I Assembly Description: Internal implementation package not meant for direct consumption. Please do not reference directly.
----+---- I ASSEMBLY LOADED: System.Security.Claims, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
----+---- I Loaded from File System.
----+---- I .NET Runtime Version: v4.0.30319
----+---- I Informational Version: 6.0.21+e40b3abf1b41621d4298642a5fd300ebf7cccf6d
----+---- I Codebase: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.21\System.Security.Claims.dll
----+---- I Assembly Description: System.Security.Claims
----+---- I ASSEMBLY LOADED: System.Security.Cryptography.Encoding, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
----+---- I Loaded from File System.
----+---- I .NET Runtime Version: v4.0.30319
----+---- I Informational Version: 6.0.21+e40b3abf1b41621d4298642a5fd300ebf7cccf6d
----+---- I Codebase: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.21\System.Security.Cryptography.Encoding.dll
----+---- I Assembly Description: Internal implementation package not meant for direct consumption. Please do not reference directly.
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ > FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) entry
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ d Client callback has been invoked to find client certificate
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ d Use the first certificate that is from an acceptable issuer.
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ < FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK exit
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ > ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) entry
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ d Client did not specify a SSLPEERNAME, hence SSLPeerNameMatching not done
IBM.WMQ.Nmqi.MQEncryptedSocket ----+----+ < ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OK exit
----+---- d New MQException CompCode: 2 Reason: 2393
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- d Exception in method MakeSecuredConnection()
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- X CompCode: 2, Reason: 2393
IBM.WMQ.Nmqi.MQEncryptedSocket ----+---- < MakeSecuredConnection() rc=OK exit
IBM.WMQ.MQTCPConnection ----+--- d Exception in method ConnectSocket(string,string,MQLONG)
IBM.WMQ.MQTCPConnection ----+--- X CompCode: 2, Reason: 2393
IBM.WMQ.MQTCPConnection ----+--- < ConnectSocket(string,string,MQLONG) rc=OK exit
IBM.WMQ.MQTCPConnection ----+-- d Exception in method Connect(MQConnectionSecurityParameters)
IBM.WMQ.MQTCPConnection ----+-- X CompCode: 2, Reason: 2393
----+-- d New MQException CompCode: 2 Reason: 2393
----+-- d New NmqiException CompCode: 2 Reason: 2393
IBM.WMQ.MQTCPConnection ----+--- > CleanUp(Boolean,NmqiException) entry [o] False, [o] CompCode: 2, Reason: 2393
What can be wrong here? Any ideas?
Regards,
- Bjarki
------------------------------
Bjarki Björgúlfsson
------------------------------