After enabling SSL tracing, the TIM log is filled with Unsupported CipherSuite warnings
search cancel

After enabling SSL tracing, the TIM log is filled with Unsupported CipherSuite warnings

book

Article ID: 20399

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) INTROSCOPE

Issue/Introduction

The following warnings are coming up on the TIM log after enabling SSL tracing.

Warning: sslprint: Unsupported CipherSuite - 57 (TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
Warning: sslinterface: network_process_packet: error 10 (unsupported ciphersuite), conn 11745060, packet 187519287, [<IPAddress>]:20843->[<IPAddress>]:2221; ignoring further data

Please explain what could be the possible reason for these warning messages.

Environment

APM CEM TIM 9.x, 10.x

Cause

TIM is designed for passive decryption, but Diffie-Hellman is designed so that passive decryption is impossible.
There are some known CipherSuites which THE TIM cannot decode e.g.

  • Any of the Diffie Hellman suites TLS_DH or TLS_DHE ones) e.g.
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
     
  • TLS_RSA based ciphersuites which use DES or 3 DES for e.g
    TLS_RSA_WITH_3DES_EDE_CBC_SHA

Resolution

TIM uses the ssldecode library for its SSL decoding process. The following ciphers are supported by TIM based on testing:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA

Additional Information

See related KB articles: 
Which Cipher Suites are supported by CA APM CEM/TIM for decoding SSL hosted applications and how can I check those against the Ciphers installed on my web servers?
The TIM log is showing "TLS 1.2 CipherSuite - Unknown (49200)" but how do I find the name of the unsupported ciphersuite to disable in my web server.
Powered by Wolken Software