CA APM TIM shows SSL decode failures for TLS 1.x packets which use extension "Extended Master Secret" & TIM log contains message "Block size greater than Plaintext!"

Document ID : KB000005473
Last Modified Date : 23/07/2018
Show Technical Document Details
Issue:

The CA APM TIM is showing SSL decode failures for TLS 1.x traffic which has the "Extended Master Secret" TLS extension enabled. Research shows:

Environment:
APM TIM 9.x, 10.x
Cause:

The TIM does not support the Extended Master Secret (EMS) extension. Typical implementations are:

1. Microsoft IIS web servers are being used and a Microsoft security update 3081320 has been applied which enables the Extended Master Secret extension for all TLS versions: Microsoft Security Bulletin MS15-121 - Important > Security Update for Schannel to Address Spoofing (3081320)

2. An F5 Load Balancer is being used which has Extended Master Secret enabled.

Resolution:

To workaround the problem Extended Master Secret needs to be disabled:

1. The security update 3081320 needs to be uninstalled or disabled via a registry update: MS15-121: Security update for Schannel to address spoofing: November 10, 2015

2. Disable Extended Master Secret on the F5 Load Balancer: AskF5 Home > K66202244 > K66202244: Support for RFC 7627 extended master secret extension

Additional Information:

A new architecture is being developed for the CEM TIM named AUM (Adaptive User Monitoring) which will be more flexible and will allow the option of receiving unencrypted data directly from the web servers via a plugin extension. The first release will be tentatively available in APM SaaS (DXI) at the end of Calendar Year 2018 and the APM on premise version is targeted to be available Spring (March/April/May) 2019.