Problem:
After upgrading to APM 10.x to get the TLS 1.1 & 1.2 support for the TIM the TLS 1.1 transactions are being recorded successfully, but the TLS 1.2 transactions are not. Is TLS 1.2 still not supported with APM 10.x?
Cause:
Make these changes to get timlog*.txt files for analysis:
1. "Configure Tim Settings" and set MaxLogSizeInMB to 200
2. "Configure Tim Trace Options" and set 3 options: "Trace HTTP components", "Trace connections" , "Trace SSL errors"
The logs showed this type of Warning for TLS 1.2 transactions and unknown ciphersuites 156 and 157:
===
Trace: w11: Version: TLS 1.2 CipherSuite - Unknown (157) [xxx.xxx.xxx.xxx.]:49876->[yyy.yyy.yyy.yyy.]:443
! Warning: w11: sslprint: Unknown CipherSuite - 157
! Warning: w11: sslinterface: network_process_packet: error 10 (unsupported ciphersuite), conn 13700999, packet 1542659108, [xxx.xxx.xxx.xxx.]:49876->[yyy.yyy.yyy.yyy.]:443 ; ignoring further data
===
The corresponding ciphersuites for values 156 & 157 can be determined from the TLS Cipher Suite Registry
156 (0x9C) and 157(0x9D) are the 2 GCM ciphers TLS_RSA_WITH_AES_128_GCM_SHA256 & TLS_RSA_WITH_AES_256_GCM_SHA384
GCM ciphersuites are not supported by TIM
Resolution:
Disable the GCM ciphersuites on the web server to prevent the browser <-> web-server SSL handshake from using them.
Additional Information: