TEC596473: After enabling SSL tracing, the Tim log is filled with Unsupported Ciphersuite warnings. Should I be concerned?

Document created by Amir-Mushtaq Employee on May 27, 2016Last modified by J.J. Lovett on May 27, 2016
Version 2Show Document
  • View in full screen mode

Document ID:  TEC596473

Last Modified Date:  7/31/2013
Authored By: Amir-Mushtaq

  • Products
    • CA Application Performance Management
  • Components
    • CUSTOMER EXPERIENCE MANAGER

 

Description:The following warnings are coming up on the TIM log after enabling SSL tracing.Warning: sslprint: Unsupported CipherSuite - 57 (TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
Warning: sslinterface: network_process_packet: error 10 (unsupported ciphersuite), conn 11745060, packet 187519287, [<IPAddress>]:20843->[<IPAddress>]:2221; ignoring further data
Please explain what could be the possible reason for these warning messages..

 

Solution:TIM is designed for passive decryption, but Diffie-Hellman is designed so that passive decryption is impossible.
There are a couple of known Cipher Suites which TIM cannot decode.

  • Any of the Diffie Hellman suites TLS_DH or TLS_DHE ones) e.g.

    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA

  • TLS_RSA based ciphersuites which use DES or 3 DES for e.g

    TLS_RSA_WITH_3DES_EDE_CBC_SHA

 

The warning message in the TIM log is simply indicating that the cipher suite is not supported.

Using this ciphersuite should not impact TIM performance.
If it is important to decode the application traffic, consult with your application server team to use another ciphersuite.

 

TIM uses the ssldecode library for its SSL decoding process. The following ciphers are supported by TIM based on testing:

TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA

 

Search the Entire CA APM Knowledge Base

 

search-kb.jpg

Attachments

    Outcomes