After disabling Diffie-Hellman and GCM ciphers TIM SSL Server Status page still shows many unsupported cipher suite decode failures with unsupported ECDH and AES GCM ciphers visible in TIM logs.

Article Id: 6413

Status: Published

Updated On: 14-02-2018 07:55

Legacy Id: TEC1419466

Products:

CA Application Performance Management Agent (APM / Wily / Introscope) INTROSCOPE

Issue/Introduction:

After disabling Diffie-Hellman and GCM ciphers the TIM SSL Server Status page still shows many unsupported cipher suite decode failures and TIM logs also show unsupported ECDH and AES GCM ciphers i.e.

"CipherSuite - Unknown (49171)" = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

"CipherSuite - Unknown (156)" = TLS_RSA_WITH_AES_128_GCM_SHA256

The web server has this SSLCipherSuite setting:

AES128-SHA:ALL:!ADH:!CAMELLIA:!GCM:!LOW:!MD5:!SSLV2:!NULL

Cause:

Diffie-Hellman and GCM ciphers have several different classifications e.g. DH, ADH, EDH, ECDH and GCM, AESGCM. They all need to be disabled to force the web server to use a cipher suite that is supported by the TIM.

Environment:

CA APM TIM 9.x, 10.x

Resolution:

This final setting for SSLCipherSuite was successful in disabling all Diffie-Hellman & GCM ciphers

ALL:!DH:!EDH:!ECDH:!ADH:!CAMELLIA:!GCM:!AESGCM:!LOW:AES128-SHA:!MD5:!SSLV2:!NULL

After restarting the TIM the refreshed TIM SSL Server Status page then showed valid connections with no decode failures for unsupported cipher suites.

The TIM logs also reported that this supported cipher was being used: TLS_RSA_WITH_AES_256_CBC_SHA (53)

Additional Information:

The TIM log is showing "TLS 1.2 CipherSuite - Unknown (49200)" but how do I find the name of the unsupported ciphersuite to disable in my web server.

Which Cipher Suites are supported CEM/TIM for decoding SSL hosted applications and how can I check those against the Ciphers installed on my web servers?