After disabling Diffie-Hellman and GCM ciphers TIM SSL Server Status page still shows many unsupported cipher suite decode failures with unsupported ECDH and AES GCM ciphers visible in TIM logs.

book

Article ID: 6413

calendar_today

Updated On:

Products

APP PERF MANAGEMENT CA Application Performance Management Agent (APM / Wily / Introscope) CUSTOMER EXPERIENCE MANAGER INTROSCOPE

Issue/Introduction

After disabling Diffie-Hellman and GCM ciphers the TIM SSL Server Status page still shows many unsupported cipher suite decode failures and TIM logs also show unsupported ECDH and AES GCM ciphers i.e.

"CipherSuite - Unknown (49171)" = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 

"CipherSuite - Unknown (156)" = TLS_RSA_WITH_AES_128_GCM_SHA256

The web server has this SSLCipherSuite setting:

AES128-SHA:ALL:!ADH:!CAMELLIA:!GCM:!LOW:!MD5:!SSLV2:!NULL

Cause

Diffie-Hellman and GCM ciphers have several different classifications e.g. DH, ADH, EDH, ECDH and GCM, AESGCM. They all need to be disabled to force the web server to use a cipher suite that is supported by the TIM.

Environment

CA APM TIM 9.x, 10.x

Resolution

This final setting for SSLCipherSuite was successful in disabling all Diffie-Hellman & GCM ciphers

ALL:!DH:!EDH:!ECDH:!ADH:!CAMELLIA:!GCM:!AESGCM:!LOW:AES128-SHA:!MD5:!SSLV2:!NULL 

After restarting the TIM the refreshed TIM SSL Server Status page then showed valid connections with no decode failures for unsupported cipher suites.

The TIM logs also reported that this supported cipher was being used: TLS_RSA_WITH_AES_256_CBC_SHA (53)

Additional Information

The TIM log is showing "TLS 1.2 CipherSuite - Unknown (49200)" but how do I find the name of the unsupported ciphersuite to disable in my web server.

Which Cipher Suites are supported CEM/TIM for decoding SSL hosted applications and how can I check those against the Ciphers installed on my web servers?