[V7.5.0.2 Jul 2013]

System requirements for using SHA-2 cipher suites with MQTT clients

For Java 6 from IBM®, SR13 onwards, you can use SHA-2 cipher suites to secure your MQTT channels and client apps. However, SHA-2 cipher suites are not enabled by default until Java 7 from IBM, SR4 onwards, so in earlier versions you must specify the required suite. If you are running an MQTT client with your own JRE, you need to ensure that it supports the SHA-2 cipher suites. For your client apps to use SHA-2 cipher suites, the client must also set the SSL context to a value that supports Transport Layer Security (TLS) version 1.2.

For Java 7 from IBM, SR4 onwards, SHA-2 cipher suites are enabled by default. For Java 6 from IBM, SR13 and later service releases, if you define an MQTT channel without specifying a cipher suite, the channel will not accept connections from a client using a SHA-2 cipher suite. To use SHA-2 cipher suites, you must specify the required suite in the channel definition. This makes the MQTT server enable the suite before making connections. It also means that only client apps using the specified suite can connect to this channel.

There is a similar limitation for the MQTT client for Java. If the client code is running on a Java 1.6 JRE from IBM, the required SHA-2 cipher suites must be explicitly enabled. In order to use these suites, the client must also set the SSL context to a value that supports Version 1.2 of the Transport Layer Security (TLS) protocol. For example:
MqttConnectOptions mqttConnectOptions = new MqttConnectOptions();
java.util.Properties sslClientProps = new java.util.Properties();
sslClientProps.setProperty("com.ibm.ssl.keyStore", sslKeys.clientKeyStore);
sslClientProps.setProperty("com.ibm.ssl.keyStorePassword", sslKeys.clientStorePassword);
sslClientProps.setProperty("com.ibm.ssl.trustStore", sslKeys.clientKeyStore);
sslClientProps.setProperty("com.ibm.ssl.trustStorePassword", sslKeys.clientStorePassword);
sslClientProps.setProperty("com.ibm.ssl.protocol", "TLSv1.2");
sslClientProps.setProperty("com.ibm.ssl.enabledCipherSuites", "SSL_RSA_WITH_AES_256_CBC_SHA256" );
mqttConnectOptions.setSSLProperties(sslClientProps);

As at June 2013, Internet Explorer 10 is the only browser that works with the MQTT messaging client for JavaScript and also supports the TLS 1.2 protocol, so it is the only browser you can use if you want to make SHA-2 connections with the JavaScript client.

For a list of the cipher suites that are currently supported, see the related links.