Document ID: TEC1340575
Last Modified Date: 6/2/2016
Authored By: Hallett_German
- CA Application Performance Management
- CA Application Performance Management:Release:10.0
- CA Application Performance Management:Release:10.1
- CA Application Performance Management:Release:9.7
- CA Application Performance Management:Release:CA APM 9.7
- CUSTOMER EXPERIENCE MANAGER
Introduction: This explains the relationship between the TIM setting DisableTLS11And12RecordsProcessing and TLS 1.1/1.2 processing available in APM 10.x and as a hotfix in some earlier APM 9.x releases. Question: We would like to implement TLS 1.1/1.2 processing in APM 10.x and as a hotfix in some earlier APM 9.x releases. How does the TIM setting DisableTLS11And12RecordsProcessing impact this? Environment: The DisableTLS11And12RecordsProcessing is available in APM 9.1.7 and later. Answer: In APM 9.17, this TIM setting changed the error message as outlined in TEC1360186. It also fixed some TLS 1.1/1.2 compatibility issues. But it did not provide full TLS 1.1/1.2 processing until provided as a hotfix in some earlier APM 9.x releases and in APM 10.Six very important notes:
- DisableTLS11And12RecordsProcessing will show up in the TIM log after startup whether explicitly set or not.
- Adding this setting does not require a TIM restart.
- If this parameter is not found in the TIM Setting, then the default would disable any processing of TLS 1.1/1.2. Adding DisableTLS11And12RecordsProcessing in the TIM setting will use these values:
- DisableTLS11And12RecordsProcessing = 1, will disable the process of TLS 1.1/1.2.
- DisableTLS11And12RecordsProcessing = 0, will enable processing of TLS 1.1/1.2.
- So, DisableTLS11And12RecordsProcessing=1 (Default) means no TLS 1.1 decoding is done. Else, DisableTLS11And12RecordsProcessing=0 means that you want to decode TLS 1.1/1.2 records. This will be the recommended setting in most cases since modern browsers enable TLS 1.1/1.2 by default.
- If you have an APM 9.x release with HF or APM 10, don't forget to set DisableTLS11And12RecordsProcessing to 0. Otherwise you will never see TLS 1.1/1.2 decoding.
- Also note that enabling this parameter will increase the load on the TIM, including CPU, memory and load.
1. What does the TIM log message "Warning: w15: sslinterface: network_process_packet: error 7 (bad data)... ignoring further data" mean?
2. APM Support for TLS 1.1/1.2 -- http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec614225.aspx