TIM shows SSL decode failures for TLS 1.x packets which use extension "Extended Master Secret" & TIM log contains message “Block size greater than Plaintext!"

Document ID : KB000005473
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

The TIM is showing SSL decode failures for TLS 1.x traffic which has the "Extended Master Secret" TLS extension enabled. Research shows:

Environment:
APM TIM 9.x, 10.x
Cause:

The TIM does not support the Extended Master Secret (EMS) extension. Typical implementations are:

1. Microsoft IIS web servers are being used and a Microsoft security update 3081320 has been applied which enables the Extended Master Secret extension for all TLS versions: Microsoft Security Bulletin MS15-121 - Important > Security Update for Schannel to Address Spoofing (3081320)

2. An F5 Load Balancer is being used which has Extended Master Secret enabled.

Resolution:

To workaround the problem Extended Master Secret needs to be disabled:

1. The security update 3081320 needs to be uninstalled or disabled via a registry update: MS15-121: Security update for Schannel to address spoofing: November 10, 2015

2. Disable Extended Master Secret on the F5 Load Balancer: AskF5 Home > K66202244 > K66202244: Support for RFC 7627 extended master secret extension

Additional Information:

A new platform is being developed for the TIM which will be more flexible and will allow the option of receiving unencrypted data directly from the web servers via a plugin extension. The first release will be tentatively available at end of calendar year 2017.