cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

Does NAM Support TLS 1.3?

seehua_voon1
Participant

Hi, I would like to know if TLS 1.3 is a supported protocol for the SSL decode in NAM? If not, is there support planned for it?

seehua


8 REPLIES 8

Babar_Qayyum
Leader

Hello @See Hua V.

As per documentation current supported SSL versions are:


  • SSL 3.0
  • TLS 1.0
  • TLS 1.1
  • TLS 1.2

https://www.dynatrace.com/support/doc/nam/ssl-moni...

Regards,

Babar


Karolina_Linda
Community Team
Community Team

Hi See,

TLS 1.3 will be supported in the next NAM release, planned for May 2019. Beta release is coming soon, at the end of January/beginning of February.

Best regards,

Karolina


Keep calm and build Community!


According to the SSL FAQ, by adding support do you mean that Dynatrace is only going to add awareness of the protocol? Or do you mean decrypt support is going to be added in as well? I've just seen an implementation of TLS 1.3 that does not use a DH key-exchange cipher (TLS_AES_123_GCM_SHA256, 128 bit keys, TLS 1.3), so I am wondering if decrypt support for it will be added as well.


I'm afraid with DH key-exchange we can only provide TLS 1.3 awareness, i.e. show handshakes as we currently do for non-decrypted TLS 1.2.

Also, due to certain protocol quirks in TLS 1.3, we already know that certain metrics will not be available. Full details will be available by the time we release NAM 2019 Beta at the end of Jan 2019.


It is my understanding that any non Diffie-Hellman key exchange ciphers "in TLS 1.3" will actually be TLS 1.2 ciphers that will be 'discouraged but permitted' for backward compatibility, but all _true_ TLS 1.3 ciphers will use a Diffie-Hellman style key exchange, and therefore be impossible for listening agents to decrypt, necessitating an endpoint such as Frans S. referenced in his comment if actual operation analysis from a NAM Probe is specifically required.

-- Erik


Note that everybody should be aware that, once TLS 1.3 becomes the standard in client-server communication, any
monitoring solution like AMD's will no longer be able to decode
HTTPS/SSL traffic. Additional changes/hardware in the
infrastructure will be required. Bottom lime, you will have to measure from a
(man-in-the-middle) point in the traffic path where the traffic is not
SSL encoded.

More on that in this Ixia article:

https://www.ixiacom.com/company/blog/implications-tls-13-security-monitoring


travis_booth
Helper

My colleague and I will be presenting on this topic at Perform if any are interested.


Very! 🙂