Wednesday, 9 September 2015

Using OpenSSL to connect via a specific SSL/TLS cipher

We're busy setting up TLS 1.2 encryption for WebSphere MQ 8, forcing all connections ( from WebSphere Application Server, IBM Integration Bus etc. ) to be encrypted, via a dedicated SVRCONN Channel.

The MQ setup script includes the following: -

...
QMGR=TESTQM
QMGRPORT=1420
MQCIPHERSPEC=TLS_RSA_WITH_AES_128_CBC_SHA256
echo "DEFINE CHANNEL(TEST.QMGR.SVRCONN) CHLTYPE(SVRCONN) SSLCIPH("$MQCIPHERSPEC") REPLACE" | runmqsc $QMGR
echo "ALTER CHANNEL(TEST.QMGR.SVRCONN) CHLTYPE(SVRCONN) SSLCAUTH(OPTIONAL)" | runmqsc $QMGR
echo "DIS CHANNEL(TEST.QMGR.SVRCONN) CHLTYPE(SVRCONN)" | runmqsc $QMGR

...

meaning that connectivity to this specific Channel will use the TLS_RSA_WITH_AES_128_CBC_SHA256 cipher.

Having completed the configuration, I wanted to validate the connectivity, using OpenSSL, which is built into my server's OS ( Red Hat Enterprise Linux ).

openssl s_client -tls1_2 -connect `hostname`:1420

CONNECTED(00000003)
depth=0 CN = bpm856.uk.ibm.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bpm856.uk.ibm.com
verify return:1
---
Certificate chain
 0 s:/CN=bpm856.uk.ibm.com
   i:/CN=bpm856.uk.ibm.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB2zCCAUSgAwIBAgIEVfA5qjANBgkqhkiG9w0BAQUFADAcMRowGAYDVQQDExFi
cG04NTYudWsuaWJtLmNvbTAeFw0xNTA5MDkxMzUyNDJaFw0zNTA5MDQxMzUyNDJa
MBwxGjAYBgNVBAMTEWJwbTg1Ni51ay5pYm0uY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCjEQKO/DA4y1gIv0wosNiAQx/V5vqaQHW8pEgy+mzJ/wcCdDRm
lqtm/E4JtAlbway70+OPdunKRMF54zizttXSWiDxrjFM8MRXJKGEsQfo2RpsKpUf
1YC0TRE8FUiUUCLIQmpLJ1aeW5RoxOxTQQwn97Rp0ULj7nq95anxgFuzDQIDAQAB
oyowKDATBgNVHSMEDDAKgAgPevSoHR450jARBgNVHQ4ECgQID3r0qB0eOdIwDQYJ
KoZIhvcNAQEFBQADgYEALGop6W2G8W/vlyf/0zBzZ0SupScUVQ875CIqE8Dm3wW6
pBn7HTDBGLIESJ4oQ0CdseiJEStBxmBtW4klotgL0A9C3nh2WNnSOxs1W1UqgCBB
fPQdWHU7iwogplgdfyb0xgWbwiobRoej8aOxMgL2yOyoojxFgspHrmMySEAjQvw=
-----END CERTIFICATE-----
subject=/CN=bpm856.uk.ibm.com
issuer=/CN=bpm856.uk.ibm.com
---
Acceptable client certificate CA names
/CN=bpm856.uk.ibm.com
---
SSL handshake has read 742 bytes and written 491 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-SHA256
    Session-ID: 835400002792AB6982E40F6F59B50F396703953B58585858D875F0550000000A
    Session-ID-ctx: 
    Master-Key: D20745FE1E201620E7EC9B209D2858059E5CC7D2A68AE7D8B40CACAFED2767B891A9330156EAB5F9E46E151D3BCA3B27
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1441822168
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---


To further ensure that I could only connect with one cipher, I narrowed down my OpenSSL command: -

openssl s_client -tls1_2 -connect `hostname`:1420 -cipher 'TLS_RSA_WITH_AES_128_CBC_SHA256'

which returned: -

error setting cipher list
140245232068424:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1314:


( Note that I'd specified the actual cipher - TLS_RSA_WITH_AES_128_CBC_SHA256 - in the command )

I then checked the online man page for the -ciphers option: -


*UPDATED 24/10/2020*


*UPDATED 24/10/2020*




which did the trick: -

openssl s_client -tls1_2 -connect `hostname`:1420 -cipher 'AES128-SHA256'

returns: -

...
CONNECTED(00000003)
...
SSL handshake has read 736 bytes and written 343 bytes
...
New, TLSv1/SSLv3, Cipher is AES128-SHA256
...
    Protocol  : TLSv1.2
    Cipher    : AES128-SHA256

...


1 comment:

Giannandrea said...

Hi Dave,
thanks for posting this, I found it definitely interesting
Giannandrea

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...