cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

URL Monitor and TLS

gary_ansok
Participant

We're running Dynatrace 6.0, and using the URL Monitor plugin (on Windows 2008r2)..

Recently our Web team attempted to disable TLS 1.0 for incoming HTTPS Web queries, and found that a number of monitors reported the host unreachable, although the sites were still reachable in a browser. They re-enabled TLS 1.0 and the incidents ended.

Is it a limitation of Dynatrace and/or the URL Monitor plugin that TLS 1.1 and 1.2 are not supported? If so, is there anything we can do to change this?

10 REPLIES 10

kristof_renders
Dynatrace Pro
Dynatrace Pro

Hi Gary,

From http://docs.oracle.com/javase/7/docs/technotes/gui...

Although SunJSSE in the Java SE 7 release supports TLS 1.1 and TLS 1.2, neither version is enabled by default for client connections. Some servers do not implement forward compatibility correctly and refuse to talk to TLS 1.1 or TLS 1.2 clients. For interoperability, SunJSSE does not enable TLS 1.1 or TLS 1.2 by default for client connections.

So I am guessing that our plugin (which is written in java) does not have TLS 1.1 and 1.2 enabled.

If you have some development knowledge, you can easily alter the plugin to enable the support.

Do you have a public URL to test against?

KR,
Kristof

Thanks for the response. I do not have a public URL, since the change was reversed when they saw the effect on the monitors. (I did find a Java file at https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1314113 that will display the supported and enabled SSL protocols.)

I do have some development experience, but not much with Java. From what I've found, JDK 8 has TLS 1.1 and 1.2 enabled by default, so if I can recompile the package using that, it might work (or there are options for JDK 7 compilation).

Hi Gary,

Dynatrace 6.2 is running on JRE 1.7. If you require a Dynatrace build with 1.8, please open a ticket to request it.

KR,
Kristof

I am told that for 1.7 the option that needs to be set is -Dhttps.protocols=TLSv1.1,TLSv1.2

Is this something that can be set in one of the Dynatrace config files? If so, which one?

I guess that it would be in the dtcollector.ini file in the Dynatrace installation directory for the collector that is running the plugin

Btw, I am not sure if that would work as that parameter is related to HttpsURLConnection, whereas it looks like the plugin goes about it in a different way.

Looks like you were correct on that -- I added the parameter to the dtcollector.ini file, and restated the collector, and I'm still seeing SSLPeerUnverifiedException (exception message: peer not authenticated) in the monitor. I do have the Disable certificate verification option selected.

Any other suggestions?

still no luck so far. We did turn TLSv1.0 back on temporarily for our test URL and verified that the monitor works correctly (so it's not related to our SSL certificate; and we do have Disable certificate verification enabled).

gary_ansok
Participant

We had recently upgraded to Dynatrace 6.2, and opened a support case to have JRE 1.8 supported (it's quite a simple operation, doesn't need a full Dynatrace replacement).

Once that was done, then we had no problem accessing the test site that only accepted TLS v1.1 and v1.2. So that's the solution I'd recommend for anyone on 6.2; may not be a viable solution for lower versions.

aftab_alam
Organizer

Hi, Do we have a solution for SSL error. Ia m running dynatrace 6.5 with JRE8 on linux box.

Connection failed: DynaTraceHttpClientException: Exception was thrown while executing a HTTP request
Caused by: SSLException: Received fatal alert: close_notify
SSL handshake failed, this may be caused by an incorrect certificate. Check 'Disable certificate validation' parameter to override this.

I have "Disable certificate validation" and also added below option in .ini file and restarted collector

-Ddeployment.security.TLSv1=true
-Dhttps.protocols=TLSv1