After disabling Diffie-Hellman and GCM ciphers TIM SSL Server Status page still shows many unsupported cipher suite decode failures with unsupported ECDH and AES GCM ciphers visible in TIM logs.

Document ID : KB000006413
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

After disabling Diffie-Hellman and GCM ciphers the TIM SSL Server Status page still shows many unsupported cipher suite decode failures and TIM logs also show unsupported ECDH and AES GCM ciphers i.e.

"CipherSuite - Unknown (49171)" = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 

"CipherSuite - Unknown (156)" = TLS_RSA_WITH_AES_128_GCM_SHA256

The web server has this SSLCipherSuite setting:

AES128-SHA:ALL:!ADH:!CAMELLIA:!GCM:!LOW:!MD5:!SSLV2:!NULL

Environment:
CA APM TIM 9.x, 10.x
Cause:

Diffie-Hellman and GCM ciphers have several different classifications e.g. DH, ADH, EDH, ECDH and GCM, AESGCM. They all need to be disabled to force the web server to use a cipher suite that is supported by the TIM.

Resolution:

This final setting for SSLCipherSuite was successful in disabling all Diffie-Hellman & GCM ciphers

ALL:!DH:!EDH:!ECDH:!ADH:!CAMELLIA:!GCM:!AESGCM:!LOW:AES128-SHA:!MD5:!SSLV2:!NULL 

After restarting the TIM the refreshed TIM SSL Server Status page then showed valid connections with no decode failures for unsupported cipher suites.

The TIM logs also reported that this supported cipher was being used: TLS_RSA_WITH_AES_256_CBC_SHA (53)

Additional Information: