DX Application Performance Management

  • 1.  nginx disable ciphersuite for CEM monitoring

    Posted Apr 10, 2017 06:50 PM

    Hi Community

     

    Actually I have a  problem with web application CEM analysis because the SSL traffic have an unknown cipher suite:

     

    Tim logs:

    Mon Apr 10 21:38:00 2017 22637 ! Warning: w15: sslprint: Unknown CipherSuite - 49200
    Mon Apr 10 21:38:00 2017 22637 ! Warning: w15: sslinterface: network_process_packet: error 10 (unsupported ciphersuite), conn 1056666, packet 74631872, [52.42.22.59]:52252->[207.79.208.59]:443; ignoring further data

     

    When I convert (49200) to hex representation, I have 0xC030 cipher (ECDHE_RSA_WITH_AES_256_GCM_SHA384).

     

    But i don't know how to set ECDHE_RSA_WITH_AES_256_GCM_SHA384 exclusion for NGINX webserver.

     

    Someone who has made this configuration ?

     

                   Regards

     

    Aldo

                       

     



  • 2.  Re: nginx disable ciphersuite for CEM monitoring

    Posted Apr 10, 2017 08:53 PM

    This reference could be helpful:

    NGINX + HTTPS 101: The Basics & Getting Started - NGINX 

     

    Francis



  • 3.  Re: nginx disable ciphersuite for CEM monitoring
    Best Answer

    Broadcom Employee
    Posted Apr 11, 2017 08:52 AM

    Dear Aldo:

     

    https://cipherli.st/

     

    change this line in ngnix.conf

    # ciphers chosen for forward secrecy and compatibility
    # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA3


    https://gist.github.com/plentz/6737338



  • 4.  Re: nginx disable ciphersuite for CEM monitoring

    Broadcom Employee
    Posted Apr 11, 2017 09:32 AM

    Dear Aldo:

        Since specific answers on next steps were provided, this was marked as answered. You may ask follow-up questions as needed

     

    Thanks 

    Hal German



  • 5.  Re: nginx disable ciphersuite for CEM monitoring

    Posted Apr 12, 2017 11:37 AM

    Hi Hallet,

     

    I review your recommendation about add to nginx.conf:

     

    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA3

     

    But the problem with this directive is the support for Diffie Hellman "DHE" cipher (doesn't supported for TIM).

     

    I would like to remove only ECDHE_RSA_WITH_AES_256_GCM_SHA384 directive but leaving the rest as it is.

    I'ts possible ?

     

    Regards

     

    Aldo Fiorentini.



  • 6.  Re: nginx disable ciphersuite for CEM monitoring

    Broadcom Employee
    Posted Apr 12, 2017 12:37 PM

    Hi Aldo:

    My reading on that document is that you can add or remove specific SSL cipher suites. So I believe teh answer is yes.