TEC1667615: Which Cipher Suites are supported CEM/TIM for decoding SSL hosted applications and how can I check those against the Ciphers installed on my web servers?

Document created by Lynn_Williams Employee on May 25, 2016Last modified by SamCreek on May 25, 2016
Version 2Show Document
  • View in full screen mode

Author: Lynn_Williams

Document ID:  TEC1667615
Last Modified Date:  2/17/2016

  • Products
    • CA Application Performance Management
  • Releases
    • CA Application Performance Management:Release:10.0
    • CA Application Performance Management:Release:CA APM 9.7
    • CA Application Performance Management:Release:CA APM 9.6
    • CA Application Performance Management:Release:CA APM 9.5
    • CA Application Performance Management:Release:9.7
    • CA Application Performance Management:Release:9.6.1
    • CA Application Performance Management:Release:9.5.6
    • CA Application Performance Management:Release:9.6
    • CA Application Performance Management:Release:9.5.5
    • CA Application Performance Management:Release:9.5.3
    • CA Application Performance Management:Release:9.5.2
    • CA Application Performance Management:Release:9.5.1
    • CA Application Performance Management:Release:9.1.7
    • CA Application Performance Management:Release:9.5
    • CA Application Performance Management:Release:9.1.5
    • CA Application Performance Management:Release:9.1.6
    • CA Application Performance Management:Release:9.1.1
    • CA Application Performance Management:Release:9.1.0
    • CA Application Performance Management:Release:9.1.4
    • CA Application Performance Management:Release:9.1 SP2
    • CA Application Performance Management:Release:9.08
    • CA Application Performance Management:Release:9.07
  • Components


Description:Which Cipher Suites are supported CEM/TIM for decoding SSL hosted applications and how can I check those against the Ciphers installed on my web servers? Solutions:

  • CEM supports the following algorithms for the symmetrical encryption of data: DES, Triple DES, RC4, RC2, and AES. Both U.S.-exportable and non-U. S.-exportable versions of all supported symmetrical ciphers are supported.
  • In effect all ciphers that come with the installed TIM openssl library EXCEPT the DH or DHE ciphers (Diffie-Hellman) which are theoretically impossible to decipher when in a passive monitoring mode used by the TIM. If the web servers are configured to not support those ciphers, then the browser will negotiate to use a different one.

Attached to this article is utility script check_ciphers.sh which enables verification of which TIM openssl library ciphers are also installed on a remote HTTPS web server. After the script is run in the resulting log file, then the ciphers that are available on both sides will be listed under "Supported ciphers." While the remainder will be listed under "NOT Supported ciphers." NOTE: If DH/DHE ciphers are installed on the web server, they will be listed under "Supported ciphers", but in effect they are not supported due to the above passive mode explanation.check_ciphers.zipDEPLOY-check_ciphers.txt *Acknowledgement to Joerg Mertin (CA APM Engineering Services) for providing this information and the script. Additional Information (Feb 2016)See new KB Article TEC1173225 ("There is additional support for TLS 1.1/1.2 in APM TIM 10.x and 9.6/9.7 Hot Fixes, but what are their supported ciphersuites") which has updated information on supported ciphers. Independent of TLS version the TIM can support all ciphers EXCEPT:

  • DH/DHE (Diffie-Hellman)
  • Camellia

If your TIM can access the web servers you can run the check_ciphers.sh script on it but bear in mind that even if the script output states "supported" any ciphers of the above 3 types are still not supported. The script also uses the OpenSSL library installed on the server rather than the ssldump support embedded in the TIM's program libraries. However for pre TLS 1.1/1.2 the libraries would be effectively the same and also there is no real change in the type of ciphers supported due to the TLS 1.1/1.2 protocol itself. So the script output is still valid subject to what is stated above.


Search the Entire CA APM Knowledge Base