MQ

I've run into an issue with the MQ client TLS handshake using the following:

• .NET 6
• IBMXMSDotnetClient 9.3.2.1
  
• Windows 11
• TLS 1.3
  
• Cipher spec TLS_AES_256_GCM_SHA3
• Client certificate

On windows I get the following error:

The requirement for production is TLS 1.3.

What has worked previously/in different environments:

• A Linux container using the same project, XMS version, cipher spec and certificate (Linux image from Microsoft Artifact Registry).
• Using TLS 1.2 and different cipher spec on Windows 11 with the same certificate
• On my Windows 11 machine I have used Qualys SSL Labs to verify my TLS 1.3 settings (Qualys SSL Labs - Projects / SSL Client Test)
  
• Using OpenSSL 3.0 s_client command in Windows 11 powershell to validate the certificate and complete the TLS 1.3 handshake with the server

I'm satisfied with using Linux going forward, but I wanted to drop this information here for reference and in the hopes that IBM can look into it for a future fix.

Hi Daniel ,

The exception "The token supplied to the function is invalid" is thrown when the certificate on the chain is signed with an unsupported or disabled algorithm. 

.NET uses openssl on linux and SChannel on Windows. Please can you check what is the algorithm that is being used to sign the certificate?

Thanks,

Ram

I've run into an issue with the MQ client TLS handshake using the following:

• .NET 6
• IBMXMSDotnetClient 9.3.2.1
  
• Windows 11
• TLS 1.3
  
• Cipher spec TLS_AES_256_GCM_SHA3
• Client certificate

On windows I get the following error:

The requirement for production is TLS 1.3.

What has worked previously/in different environments:

• A Linux container using the same project, XMS version, cipher spec and certificate (Linux image from Microsoft Artifact Registry).
• Using TLS 1.2 and different cipher spec on Windows 11 with the same certificate
• On my Windows 11 machine I have used Qualys SSL Labs to verify my TLS 1.3 settings (Qualys SSL Labs - Projects / SSL Client Test)
  
• Using OpenSSL 3.0 s_client command in Windows 11 powershell to validate the certificate and complete the TLS 1.3 handshake with the server

I'm satisfied with using Linux going forward, but I wanted to drop this information here for reference and in the hopes that IBM can look into it for a future fix.

I am able to use OpenSSL commands on the same Windows 11 machines to perform a TLS 1.3 handshake with the server using the same certificate, so I know it's not the signing algorithm or certificate. 

The certificate is sha256RSA, and I was previously able to use this same certificate with TLS 1.2 against the same server.

Hi Daniel ,

The exception "The token supplied to the function is invalid" is thrown when the certificate on the chain is signed with an unsupported or disabled algorithm. 

.NET uses openssl on linux and SChannel on Windows. Please can you check what is the algorithm that is being used to sign the certificate?

Thanks,

Ram

I've run into an issue with the MQ client TLS handshake using the following:

• .NET 6
• IBMXMSDotnetClient 9.3.2.1
  
• Windows 11
• TLS 1.3
  
• Cipher spec TLS_AES_256_GCM_SHA3
• Client certificate

On windows I get the following error:

The requirement for production is TLS 1.3.

What has worked previously/in different environments:

• A Linux container using the same project, XMS version, cipher spec and certificate (Linux image from Microsoft Artifact Registry).
• Using TLS 1.2 and different cipher spec on Windows 11 with the same certificate
• On my Windows 11 machine I have used Qualys SSL Labs to verify my TLS 1.3 settings (Qualys SSL Labs - Projects / SSL Client Test)
  
• Using OpenSSL 3.0 s_client command in Windows 11 powershell to validate the certificate and complete the TLS 1.3 handshake with the server

I'm satisfied with using Linux going forward, but I wanted to drop this information here for reference and in the hopes that IBM can look into it for a future fix.