What is the default setting for DisableTLS11And12RecordsProcessing?
search cancel

What is the default setting for DisableTLS11And12RecordsProcessing?

book

Article ID: 39497

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) INTROSCOPE

Issue/Introduction

 Introduction: 

        This explains the relationship between the TIM setting DisableTLS11And12RecordsProcessing and TLS 1.1/1.2 processing available in APM 10.x and as a hotfix in some earlier APM 9.x releases.

   Question: 

We would like to implement TLS 1.1/1.2 processing in APM 10.x and as a hotfix in some earlier APM 9.x releases. How does the TIM setting DisableTLS11And12RecordsProcessing impact this?

   Environment:  

         The DisableTLS11And12RecordsProcessing is available in APM 9.1.7 and later.

   Answer: 

 In APM 9.17, this TIM setting changed the error message as outlined in TEC1360186. It also fixed some TLS 1.1/1.2 compatibility issues.  But it did not provide full TLS 1.1/1.2 processing until provided as a hotfix in some earlier APM 9.x releases and in APM 10.

Six very important notes:

  1. DisableTLS11And12RecordsProcessing will show up in the TIM log after startup whether explicitly set or not.
  2. Adding this setting does not require a TIM restart.
  3. If this parameter is not found in the TIM Setting, then the default would disable any processing of TLS 1.1/1.2.  Adding DisableTLS11And12RecordsProcessing in the TIM setting will use these values:
    1. DisableTLS11And12RecordsProcessing = 1, will disable the process of TLS 1.1/1.2.
    2. DisableTLS11And12RecordsProcessing = 0, will enable processing of TLS 1.1/1.2.
  4. So, DisableTLS11And12RecordsProcessing=1 (Default) means no TLS 1.1 decoding is done. Else, DisableTLS11And12RecordsProcessing=0 means that you want to decode TLS 1.1/1.2 records. This will be the recommended setting in most cases since modern browsers enable TLS 1.1/1.2 by default.
  5. If you have an APM 9.x release with HF or APM 10, don't forget to set DisableTLS11And12RecordsProcessing to 0. Otherwise you will never see TLS 1.1/1.2 decoding.
  6. Also note that enabling this parameter will increase the load on the TIM, including CPU, memory and load.

   Additional Information:

    1. What does the TIM log message "Warning: w15: sslinterface: network_process_packet: error 7 (bad data)... ignoring further data" mean?   

    http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1360186.aspx

     2. APM Support for TLS 1.1/1.2 -- http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec614225.aspx 

Environment

Release: CEMUGD00200-9.7-Introscope to CA Application-Performance Management-Upgrade Main
Component:
Powered by Wolken Software