search cancel

After upgrading to APM 10.x to get TIM TLS 1.1 & 1.2 support the 1.1 transactions are recorded successfully, but the 1.2 transactions are not.


Article ID: 42156


Updated On:


CA Application Performance Management Agent (APM / Wily / Introscope) INTROSCOPE



After upgrading to APM 10.x to get the TLS 1.1 & 1.2 support for the TIM the TLS 1.1 transactions are being recorded successfully, but the TLS 1.2 transactions are not. Is TLS 1.2 still not supported with APM 10.x?



Make these changes to get timlog*.txt files for analysis:

1. "Configure Tim Settings" and set MaxLogSizeInMB to 200 

2. "Configure Tim Trace Options" and set 3 options: "Trace HTTP components", "Trace connections" , "Trace SSL errors

The logs showed this type of Warning for TLS 1.2 transactions and unknown ciphersuites 156 and 157:


Trace: w11: Version: TLS 1.2 CipherSuite - Unknown (157) []:49876->[yyy.yyy.yyy.yyy.]:443 

! Warning: w11: sslprint: Unknown CipherSuite - 157 

! Warning: w11: sslinterface: network_process_packet: error 10 (unsupported ciphersuite), conn 13700999, packet 1542659108, []:49876->[yyy.yyy.yyy.yyy.]:443 ; ignoring further data 


The corresponding ciphersuites for values 156 & 157 can be determined from the TLS Cipher Suite Registry

156 (0x9C) and 157(0x9D) are the 2 GCM ciphers TLS_RSA_WITH_AES_128_GCM_SHA256  & TLS_RSA_WITH_AES_256_GCM_SHA384 

GCM ciphersuites are not supported by TIM



Disable the GCM ciphersuites on the web server to prevent the browser <-> web-server SSL handshake from using them.


Additional Information:

TEC1173225: There is additional support for TLS 1.1/1.2 in APM TIM 10.x and 9.6/9.7 Hot Fixes, but what are their supported ciphersuites

TEC1667615: Which Cipher Suites are supported CEM/TIM for decoding SSL hosted applications and how can I check those against the Ciphers installed on my web servers?


Release: CEMUGD00200-10.2-Introscope to CA Application-Performance Management-Upgrade Mai