mTLS works between client and IBM MQ if the client keystore has certificate only for serverAuth, not clientAuth

[WalkerWalker]

As the title mentions, mTLS works between client and IBM MQ if the client keystore has certificate only for serverAuth, not clientAuth. But should not be the case.

for example, folloing the official guide here https://developer.ibm.com/tutorials/configuring-mutual-tls-authentication-java-messaging-app/ and we can establish the mTLS connection successfully and the client log has the following Produced client Certificate handshake message

javax.net.ssl|DEBUG|1E|pool-1-thread-1|2023-10-24 15:00:55.214 UTC|CertificateMessage.java:330|Produced client Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "2A FC D8 2F BB 31 14 F4",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=openshift-service-serving-signer@1628590423",
    "not before"         : "2023-10-09 10:17:28.000 UTC",
    "not  after"         : "2025-10-08 10:17:29.000 UTC",
    "subject"            : "CN=jms-bulk-messaging.fate-sample-app-dev.svc",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 1.3.6.1.4.1.2312.17.100.2.1 Criticality=false
      },
      {
        ObjectId: 2.5.29.35 Criticality=false
        AuthorityKeyIdentifier [
        KeyIdentifier [
        0000: 0A 3C 75 40 B5 A3 8B F3   88 E9 C0 68 52 FE 03 1C  .<[email protected]...
        0010: E3 80 3D DE                                        ..=.
        ]
        ]
      },
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:false
          PathLen: undefined
        ]
      },
      {
        ObjectId: 2.5.29.37 Criticality=false
        ExtendedKeyUsages [
          serverAuth
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=true
        KeyUsage [
          DigitalSignature
          Key_Encipherment
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          DNSName: jms-bulk-messaging.fate-sample-app-dev.svc
          DNSName: jms-bulk-messaging.fate-sample-app-dev.svc.cluster.local
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: 98 E7 99 77 B0 3A ED AA   21 51 65 D6 44 34 45 48  ...w.:..!Qe.D4EH
        0010: B0 1E 10 48                                        ...H
        ]
        ]
      }
    ]},
  "certificate" : {...},
  "certificate" : {...}
]
)

More specifically the certificate has the field

        ExtendedKeyUsages [
          serverAuth
        ]

and in my understand, it should prevent the mTLS handshake being successful because it doesn't have clientAuth. But it seems that the IBM MQ doesn't care about ExtendedKeyUsages.

[arthurbarr]

The TLS handshake is managed as part of the IBM MQ software, and I don't think anything you've mentioned is related to this sample repository. Can I please suggest that you raise this as a support ticket against the MQ software?