[英]Error MQException caught: 2059 - MQRC_Q_MGR_NOT_AVAILABLE .Net Core Linux Docker Container IBM MQ, caused by cipherspec mismatch
I have a .net core managed client running in a Linux docker container.我有一个 .net 核心托管客户端在 Linux docker 容器中运行。 I am trying to connect to the IBM message queue using SSL and it connects successfully using TLS_RSA_WITH_AES_128_CBC_SHA256.
我正在尝试使用 SSL 连接到 IBM 消息队列,并使用 TLS_RSA_WITH_AES_128_CBC_SHA256 成功连接。 I tested again by asking them to change the server to AES_256.
我通过要求他们将服务器更改为 AES_256 再次进行了测试。 However, when they switch to AES_256 ie I try the same on TLS_RSA_WITH_AES_256_CBC_SHA256 I get 2059 - MQRC_Q_MGR_NOT_AVAILABLE.
但是,当他们切换到 AES_256 时,即我在TLS_RSA_WITH_AES_256_CBC_SHA256上尝试相同,我得到 2059 - MQRC_Q_MGR_NOT_AVAILABLE。
In windows, you can specify default the cipher spec by going to group policy editor.在 windows 中,您可以通过转到组策略编辑器来指定默认密码规范。 example.
例子。 https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls My question is how do I do that in the docker container.
https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls我的问题是如何在 docker 容器中执行此操作。 My image used is from Microsoft dotnet/core/aspnet:3.1-buster-slim Here is my code for reference,
我使用的图片来自 Microsoft dotnet/core/aspnet:3.1-buster-slim 这是我的代码供参考,
private static string _host = "GH2134";
private static int _port = 1414;
private static string _channel= "AES256.TEST.CHANNEL";
private static string _qmgr= "MQMGR";
private static string _cipherSpec = "TLS_RSA_WITH_AES_256_CBC_SHA256";
private static string _mqUser = "mymqUser";
private static string _mqPassword = "mymqPassword@";
private static string _keyRepository = "*USER";
var properties = new Hashtable();
properties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED);
properties.Add(MQC.HOST_NAME_PROPERTY, _host);
properties.Add(MQC.PORT_PROPERTY, _port);
properties.Add(MQC.CHANNEL_PROPERTY, _channel);
properties.Add(MQC.USER_ID_PROPERTY, _mqUser);
properties.Add(MQC.PASSWORD_PROPERTY, _mqPassword);
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY,_cipherSpec);
properties.Add(MQC.SSL_CERT_STORE_PROPERTY, _keyRepository);
var queueManager = new MQQueueManager(_qmgr, properties);
Console.Write("Connection created successfully...\n\n");
I checked the bash for installed root@097aa5a44f52:/app# ssl cyphers -v Didn't find it TLS_RSA_WITH_AES_256_CBC_SHA256 how did I add it, like in windows group policy editor I checked the bash for installed root@097aa5a44f52:/app# ssl cyphers -v Didn't find it TLS_RSA_WITH_AES_256_CBC_SHA256 how did I add it, like in windows group policy editor
root@097aa5a44f52:/app# openssl ciphers -v
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(256) Mac=AEAD
RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
PSK-AES256-GCM-SHA384 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(256) Mac=AEAD
PSK-CHACHA20-POLY1305 TLSv1.2 Kx=PSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD
RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(128) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
PSK-AES128-GCM-SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(128) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(256) Mac=SHA384
ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(256) Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1
SRP-AES-256-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(256) Mac=SHA1
RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA384
DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SHA384
RSA-PSK-AES256-CBC-SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA1
DHE-PSK-AES256-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
PSK-AES256-CBC-SHA384 TLSv1 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA384
PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1
ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA256
ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1
SRP-AES-128-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(128) Mac=SHA1
RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK Au=RSA Enc=AES(128) Mac=SHA256
DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SHA256
RSA-PSK-AES128-CBC-SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(128) Mac=SHA1
DHE-PSK-AES128-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
PSK-AES128-CBC-SHA256 TLSv1 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA256
PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1
Update: I verified with downgrading the nuget version of IBM® Message Service Client for .NET Standard (XMS .NET) 9.2.2 to 9.1.4 I was surprised to know that I get the 2059 error also with TLS_RSA_WITH_AES_128_CBC_SHA256 so I am might also guess that this could be a bug in the IBM's client library?更新:我通过将用于 .NET 标准(XMS .NET)9.2.2 的 IBM® 消息服务客户端的 nuget 版本降级到 9.1.4 进行了验证,我很惊讶地发现我也收到 2059 错误,TLS_CBC_WITH_WITH_AES_1 也可能是 TLS_CBC_RSA_WITH_AES_2这可能是 IBM 客户端库中的错误?
I can answer my own question.我可以回答我自己的问题。 I did the tests with older library version of IBMXMS nuget packages.
我使用 IBMXMS nuget 软件包的旧库版本进行了测试。 It did not support AES 128 as well, There is currently a bug in the official IBMXMS .net library that it does not support CYPHERSPECS TLS_RSA_AES_ 256 _WITH_RSA_SHA256 in the latest one.
它也不支持 AES 128,目前官方 IBMXMS .net 库中存在一个错误,它不支持最新的 CYPHERSPECS TLS_RSA_AES_256 _WITH_RSA_SHA256 。 It supports AES128
支持AES128
However this is the case only in the Linux environment.
但是,仅在Linux环境中才会出现这种情况。 In windows AES 256 works, provided that its also changed to the same spec in group policy.
在 windows 中,AES 256 有效,前提是它在组策略中也更改为相同的规范。 Here is a link on how to it https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls
这是有关如何操作的链接https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls
Hence if you are using IBMs.Net Client Core in Linux, then only upto TLS_RSA_AES_ 128 _WITH_RSA_SHA256 unless IBM releases a new library dll or a nuget package that supports it. Hence if you are using IBMs.Net Client Core in Linux, then only upto TLS_RSA_AES_ 128 _WITH_RSA_SHA256 unless IBM releases a new library dll or a nuget package that supports it. As of now the version I am using is from nuget, IBMXMSDotnetClient Version="9.2.2" in Openssl, there is already support
目前我使用的版本是nuget, IBMXMSDotnetClient Version="9.2.2" in Openssl,已经支持
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.