Getting a high percentage rate of SSL decode failures and "Unknown cipher suite" error messages in the TIM log.

Document ID : KB000004098
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

 The "TIM SSL Servers" page shows about 90% of "Connections with decode failures" out of "Total connections", and more than half of them are "Unsupported cipher suites". 

tim_ssl_servers_page.png

  The TIM log ("timlog.txt") shows repeated warning messages like the one below:

  3587 ! Warning: w20: sslinterface: network_process_packet: error 10 (unsupported ciphersuite), conn 277107, packet 60792088, [<ip_address>]:39919->[<ip_address>]:443; ignoring further data

 

Environment:
Web Server is running on WIN2012 R2. APM/TIM 10.0 installed. TIM is not on a MTP.
Cause:

DH/DHE (Diffie-Hellman) cipher suites are not supported by TIM.

Resolution:

  Any DH/DHE (Diffie-Hellman) cipher suites should be taken out of cipher suites configuration on the Web Server, so that packets containing those cipher suites do not get forwarded  to TIM. 

  * Cipher Suites configuration on the web server.

Initially:

image001_6.png

After DH/DHE cipher suites were removed:

image002_1.png

 After the above change is made (mainly in the "SSL Cipher Suite Order" section), there are no longer "Unsupported cipher suites" messages.

Additional Information:

 TEC1667615: Which Cipher Suites are supported CEM/TIM for decoding SSL hosted applications and how can I check those against the Ciphers installed on my web servers?