AMQ9616E: The CipherSpec … proposed by remote host … is not enabled.

Colin’s comments in bold.  I think the most common reason will be e) mismatch between cipher specs and the server’s certificate.

EXPLANATION:

The SSL or TLS subsystem at the server end of a channel been configured in such a way that it has rejected the CipherSpec proposed by an SSL or TLS client.
This error most commonly occurs when the choice of acceptable CipherSpecs has been limited in one of the following ways:
(a) The server queue manager SSLFipsRequired attribute is set to YES and the channel is using a CipherSpec which is not FIPS-certified on the server.
Use the MQSC command DIS QMGR SSLFIPS to display the attribute

(b) The server queue manager EncryptionPolicySuiteB attribute has been set to a value other than NONE and the channel is using a CipherSpec which does not meet the server’s configured Suite B security level.
Use DISPLAY/ALTER QMGR with the parameter SUITEB to set the value.

(c) The protocol used by the channel has been deprecated. Note that IBM may need to deprecate a protocol via product maintenance in response to a security vulnerability, for example SSLv3 and TLSv1 have been deprecated. Continued use of SSLv3 and/or TLSv1 protocols is not recommended but may be enabled by setting environment variable AMQ_SSL_V3_ENABLE=TRUE or AMQ_TLS_V1_ENABLE=TRUE as required.

(d) If you are trying to use TLS 1.3 The requested CipherSpec has been deprecated or disallowed by TLS 1.3. Note that IBM may need to deprecate a CipherSpec via product maintenance in response to a security vulnerability, for example RC4_MD5_US has been deprecated. Continued use of deprecated CipherSpecs is not recommended but may be enabled by setting environment variable
AMQ_SSL_WEAK_CIPHER_ENABLE=<CipherSpec>. For example,
AMQ_SSL_WEAK_CIPHER_ENABLE=RC4_MD5_US

(e) The certificates in use are not acceptable in combination with the CipherSpec, for example the key signature algorithm (RSA or ECDSA) may not be supported by the negotiated CipherSpec, or the certificate’s key size might be too short (some CipherSpecs mandate a minimum 2048-bit RSA key length).  See below

(f) The CipherSpec is for TLS 1.3 and TLS 1.3 is not enabled. To enable TLS 1.3 set the INI variable AllowTLSV13=TRUE in the SSL stanza.  See here.

(g) you have specified SSL stanza: AllowedCipherSpecs=, in the mqclient.ini , which is blocking the cipher spec you specified for the channel.

Colins’ comments

Cipher spec mismatch.

As part of the handshake there is logic like..

  • Client sends “I want to negotiate in  the following languages…”
  • The Server looks in its list of languages and makes sure there is at least one in common.
  • The server asks its certificate do you speak any of the following languages.

 If any of the above fail you get the AMQ9616E: The CipherSpec … proposed by remote host … is not enabled error message.

The client can send up

  • One cipher spec for example specify  SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
  • A list of cipher specs SSLCIPH(ANY_TS12)

The server may have

  • One cipher specified SSLCIPH(ECDHE_ECDSA_AES_128_CBC_SHA256)
  • A list of cipher specs SSLCIPHR(ANY_TS12)

The server’s certificate could be, for example,

  • Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit)
  • Signed with Signature Algorithm: ecdsa-with-SHA256

or

  • Subject Public Key Info: Public Key Algorithm: rsaEncryption  RSA Public-Key: (2048 bit)
  • Signed with Signature Algorithm: ecdsa-with-SHA256

The bold text must match the agreed cipher spec.

How to resolve it

  1. The /var/mqm/errors log for the client machine will have a message like AMQ9665E: SSL connection closed by remote end of channel ‘ECRSA1024’.
  2. Use this page to display the cipher spec, the certificate name and the keystore which were actually used in the handshake.  If they are not what you expect – fix the problem.
  3. In the server message AMQ9616E: The CipherSpec ‘TLS_RSA_WITH_AES_128_CBC_SHA256’ you get the cipher spec sent from the client, but you do not know the name of the channel!
  4. On the server display the channel  dis chl(ECRSA1024) CERTLABL SSLCIPH.  If the CERLABL is blank use the DIS QMGR CERTLABL to get the queue manager wide certificate label.
  5. Use  the command to display the certificate type
    1. runmqakm -cert -details -db zzserver.kdb -type cms -stashed -label RSA_SERVER
  6. Check the cipher specs at each end are compatible with the certificate.  The most likely problem is EC/RSA mismatch