1

We are trying to connect to IBM MQ from RHEL 8.3 using .net core 3.1 application. The same code runs ok on Windows- we are able to connect to QM.
We are facing an error that comes, as we believe, from openssl:

---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094412:SSL routines:ssl3_read_bytes:sslv3 >alert bad certificate --- End of inner exception stack trace --- at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 >recvCount, Byte[]& sendBuf, Int32& sendCount) in >/_/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs:line 278

We can see that MQClient loaded certificates

00000157 12:30:07.116059 536167.15 -----------{ MQEncryptedSocket.MakeSecuredConnection()
00000158 12:30:07.116425 536167.15 Created an instance of SSLStreams
00000159 12:30:07.116466 536167.15 Setting current certificate store as 'User'
0000015A 12:30:07.116528 536167.15 Linux so use My & CurrentUser
0000015B 12:30:07.116542 536167.15 Created store object to access certificates 0000015C 12:30:07.116780 536167.15 Opened store
0000015D 12:30:07.116795 536167.15 Accessing certificate - ZZZZ
0000015E 12:30:07.230836 536167.15 Number of certificates in the store:5
0000015F 12:30:07.231092 536167.15 TLS12 supported - True
00000160 12:30:07.233622 536167.15 Setting SslProtol as Tls12
00000161 12:30:07.233652 536167.15 Starting SSL Authentication

We have unit test that verifies if cert of given subject exists in that store and it passes.
What we've done already:

  1. We build openssl 1.1.1h and linked it system wide.
  2. We verified cert store. The cert we are using is valid
    var cert = x509Store2.Certificates.Find(X509FindType.FindBySubjectName, mockIbmMqOptions.MqCertificateLabel, true).Count;
    x509Store2.Close();
    x509Store2.Dispose();
    Assert.True(cert > 0);
  1. We ran the code on Windows with success.
  2. We searched for sslv3 alert bad certificate in openssl source and found nothing but statics with error code 1420 but not referenced.

Any ideas?

Tom Ash
  • 128
  • 9
  • Are you specifying the TLS version in you c# code? When you do not specify the TLS version in client a default version is used which may bed different on different machines. Also the certificate has to be loaded on both client and server. When a TLS connection is started the server sends a list of Certificate names to the client and then the client looks up the names in the Certificate Stores. The certifcate encryption mode must be compatible with the version of TLS. See Wiki : https://en.wikipedia.org/wiki/Transport_Layer_Security – jdweng Nov 19 '20 at 13:45
  • Yes we are: ```00000154 12:30:07.110057 536167.15 CipherSpec value is TLS_RSA_WITH_AES_256_CBC_SHA256``` – Tom Ash Nov 19 '20 at 13:50
  • Looks like your client is requesting TLS 1.2. and server is not accepting the certificate. See : https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.0.0/com.ibm.mq.explorer.doc/e_ssl_security.htm – jdweng Nov 19 '20 at 14:01
  • How can I check it? It works ok from Windows. I wonder if there is something that could help to trace the issue. – Tom Ash Nov 19 '20 at 16:00
  • Using a sniffer like wireshark or fiddler you can see the TLS messages include the certificate block with the list of certificates. But that is working on Windows. Something is failing on the lookup in certificate stores a IBM MQ machine. See following : https://www.ibm.com/support/pages/ibm-mq-personal-and-ca-certificates-explained-and-how-identify-them – jdweng Nov 19 '20 at 16:12
  • You can review the queue manager's `AMQERR01.LOG` at the time you get the error for more details on what the QM is seeing. – JoshMc Nov 19 '20 at 16:56
  • Also what is the label on the cert (friendly name)? By default with a MQ client app it will look for a cert with the label `ibmwebspheremq`, so if your process ran as a user named `tomash`, then by default MQ will look for a cert labeled as `ibmwebspheremqtomash`, you can override this default and specify a specific label. – JoshMc Nov 19 '20 at 17:02
  • Thank you for the tip on AMQERR. I will have to ask 3rd party to send it to me. As for friendlyname- as you know, the client is written in .net core using ibm mq .net standard library as client. When we import pfx to .net core key store in RHEL the friendly name is empty and on Windows key store is set to ZZZZ and CertificateLabel is set to ZZZZ. – Tom Ash Nov 19 '20 at 18:38
  • 1
    Do you mean you are setting the cert label to match the name in the .net core key store? This other recent [question](https://stackoverflow.com/questions/64580857/unable-to-autheticate-to-ibm-mq-c-sharp-with-tls-certificate) may be helpful. – JoshMc Nov 19 '20 at 19:11
  • Yes, we set CertificateLabel to match FriendlyName. – Tom Ash Nov 19 '20 at 19:26
  • check that question, the guy said he had to only import the single cert not all the signers. – JoshMc Nov 19 '20 at 20:01

1 Answers1

2

Thank you @JoshMc based on this question we successfully managed to finish the handshake. I think this is a general solution for .net core on RHEL and IBM MQ Client libraries:

  1. Be sure that CA and Intermediate CA are stored in /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
  2. If your pfx contain certificates in certification path EXPORT ONLY private key and public cert
  3. Be sure to have Friendly Name set to some value.
  4. Add exported pfx to .net core key store certificate-tool add
  1. Set CertificateLabel to match FriendlyName or set the friendly name to ibmwebspheremq<username_in_lowercase>
Tom Ash
  • 128
  • 9