We're running Dynatrace 6.0, and using the URL Monitor plugin (on Windows 2008r2)..
Recently our Web team attempted to disable TLS 1.0 for incoming HTTPS Web queries, and found that a number of monitors reported the host unreachable, although the sites were still reachable in a browser. They re-enabled TLS 1.0 and the incidents ended.
Is it a limitation of Dynatrace and/or the URL Monitor plugin that TLS 1.1 and 1.2 are not supported? If so, is there anything we can do to change this?
Solved! Go to Solution.
Although SunJSSE in the Java SE 7 release supports TLS 1.1 and TLS 1.2, neither version is enabled by default for client connections. Some servers do not implement forward compatibility correctly and refuse to talk to TLS 1.1 or TLS 1.2 clients. For interoperability, SunJSSE does not enable TLS 1.1 or TLS 1.2 by default for client connections.
So I am guessing that our plugin (which is written in java) does not have TLS 1.1 and 1.2 enabled.
If you have some development knowledge, you can easily alter the plugin to enable the support.
Do you have a public URL to test against?
Thanks for the response. I do not have a public URL, since the change was reversed when they saw the effect on the monitors. (I did find a Java file at https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1314113 that will display the supported and enabled SSL protocols.)
I do have some development experience, but not much with Java. From what I've found, JDK 8 has TLS 1.1 and 1.2 enabled by default, so if I can recompile the package using that, it might work (or there are options for JDK 7 compilation).
Looks like you were correct on that -- I added the parameter to the dtcollector.ini file, and restated the collector, and I'm still seeing SSLPeerUnverifiedException (exception message: peer not authenticated) in the monitor. I do have the Disable certificate verification option selected.
Any other suggestions?
still no luck so far. We did turn TLSv1.0 back on temporarily for our test URL and verified that the monitor works correctly (so it's not related to our SSL certificate; and we do have Disable certificate verification enabled).
We had recently upgraded to Dynatrace 6.2, and opened a support case to have JRE 1.8 supported (it's quite a simple operation, doesn't need a full Dynatrace replacement).
Once that was done, then we had no problem accessing the test site that only accepted TLS v1.1 and v1.2. So that's the solution I'd recommend for anyone on 6.2; may not be a viable solution for lower versions.
Hi, Do we have a solution for SSL error. Ia m running dynatrace 6.5 with JRE8 on linux box.
Connection failed: DynaTraceHttpClientException: Exception was thrown while executing a HTTP request
Caused by: SSLException: Received fatal alert: close_notify
SSL handshake failed, this may be caused by an incorrect certificate. Check 'Disable certificate validation' parameter to override this.
I have "Disable certificate validation" and also added below option in .ini file and restarted collector