TEC1340575: What is the default setting for DisableTLS11And12RecordsProcessing?

Document created by Hallett_German Employee on Jun 16, 2016Last modified by SamCreek on Jun 16, 2016
Version 2Show Document
  • View in full screen mode

Document ID:  TEC1340575
Last Modified Date:  6/2/2016
Authored By: Hallett_German

  • Products
    • CA Application Performance Management
  • Releases
    • CA Application Performance Management:Release:10.0
    • CA Application Performance Management:Release:10.1
    • CA Application Performance Management:Release:9.7
    • CA Application Performance Management:Release:CA APM 9.7
  • Components
    • CUSTOMER EXPERIENCE MANAGER

 

Introduction:         This explains the relationship between the TIM setting DisableTLS11And12RecordsProcessing and TLS 1.1/1.2 processing available in APM 10.x and as a hotfix in some earlier APM 9.x releases.   Question: We would like to implement TLS 1.1/1.2 processing in APM 10.x and as a hotfix in some earlier APM 9.x releases. How does the TIM setting DisableTLS11And12RecordsProcessing impact this?   Environment:           The DisableTLS11And12RecordsProcessing is available in APM 9.1.7 and later.   Answer: In APM 9.17, this TIM setting changed the error message as outlined in TEC1360186. It also fixed some TLS 1.1/1.2 compatibility issues.  But it did not provide full TLS 1.1/1.2 processing until provided as a hotfix in some earlier APM 9.x releases and in APM 10.Six very important notes:

  1. DisableTLS11And12RecordsProcessing will show up in the TIM log after startup whether explicitly set or not.
  2. Adding this setting does not require a TIM restart.
  3. If this parameter is not found in the TIM Setting, then the default would disable any processing of TLS 1.1/1.2.  Adding DisableTLS11And12RecordsProcessing in the TIM setting will use these values:
    1. DisableTLS11And12RecordsProcessing = 1, will disable the process of TLS 1.1/1.2.
    2. DisableTLS11And12RecordsProcessing = 0, will enable processing of TLS 1.1/1.2.
  4. So, DisableTLS11And12RecordsProcessing=1 (Default) means no TLS 1.1 decoding is done. Else, DisableTLS11And12RecordsProcessing=0 means that you want to decode TLS 1.1/1.2 records. This will be the recommended setting in most cases since modern browsers enable TLS 1.1/1.2 by default.
  5. If you have an APM 9.x release with HF or APM 10, don't forget to set DisableTLS11And12RecordsProcessing to 0. Otherwise you will never see TLS 1.1/1.2 decoding.
  6. Also note that enabling this parameter will increase the load on the TIM, including CPU, memory and load.

   Additional Information:

   1. What does the TIM log message "Warning: w15: sslinterface: network_process_packet: error 7 (bad data)... ignoring further data" mean? 

    http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1360186.aspx

     2. APM Support for TLS 1.1/1.2 -- http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec614225.aspx

 

Search the Entire CA APM Knowledge Base

Attachments

    Outcomes