After enabling SSL tracing, the TIM log is filled with Unsupported CipherSuite warnings

Document ID : KB000020399
Last Modified Date : 23/07/2018
Show Technical Document Details
Issue:

The following warnings are coming up on the TIM log after enabling SSL tracing.

Warning: sslprint: Unsupported CipherSuite - 57 (TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
Warning: sslinterface: network_process_packet: error 10 (unsupported ciphersuite), conn 11745060, packet 187519287, [<IPAddress>]:20843->[<IPAddress>]:2221; ignoring further data

Please explain what could be the possible reason for these warning messages.

Environment:
APM CEM TIM 9.x, 10.x
Cause:

TIM is designed for passive decryption, but Diffie-Hellman is designed so that passive decryption is impossible.
There are some known CipherSuites which THE TIM cannot decode e.g.

  • Any of the Diffie Hellman suites TLS_DH or TLS_DHE ones) e.g.
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
     
  • TLS_RSA based ciphersuites which use DES or 3 DES for e.g
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
Resolution:

TIM uses the ssldecode library for its SSL decoding process. The following ciphers are supported by TIM based on testing:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA

Additional Information:
See related KB articles: 
Which Cipher Suites are supported by CA APM CEM/TIM for decoding SSL hosted applications and how can I check those against the Ciphers installed on my web servers?
The TIM log is showing "TLS 1.2 CipherSuite - Unknown (49200)" but how do I find the name of the unsupported ciphersuite to disable in my web server.