cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

SHA1 encrypted traffic in DCRUM component commmunication

elvis_castelino
Dynatrace Organizer
Dynatrace Organizer

We're looking to eliminate all SHA1 encrypted traffic in our infrastructure componenets. Does DCRUM use SHA1- based SSL certificates in communications between the DCRUM components.

7 REPLIES 7

cosmin_gherghel
Dynatrace Pro
Dynatrace Pro

Hi Elvis,

I configured the report servers to use sha256 encryption but by default it is configured to use sha1. Sha1 is also used for the RUM console and CSS. Not sure what the AMDs use though.

Hope that helps,

Cosmin

Thanks Cosmin. Are there any plans of moving to SHA2 that you know of ?

Elvis

I have not heard anything official but I'm sure it is on someones roadmap.

Cosmin

chris_v
Dynatrace Pro
Dynatrace Pro

In 12.3, the default SSL mode was changed to support TLS1.2 cipher suites (disabling older less secure ones), so the CAS/ADS/RUMC/CSS will negotiate a TLS1.2 connection with your browser, I regularly see it using ECDHE/AES128/SHA256 session encryption.

The out of the box certificates* however are signed with SHA1. The signature algorithm used on the certificate ha no bearing on the quality of the session encryption used.

*you should really be generating your own not relying on the out of the box certificates.

For CAS and ADS the <install>/config/common.properties file allows you to modify the cipher suites it will negotiate.

This is the default 12.3+. IT will only negotiate a TLS connection (SSL2 and SSL3 are disabled), the due to the ordering of cipher suites will pick the strongest one the browser supports.

connector.ssl.SSLProtocol=TLSv1+TLSv1.1+TLSv1.2
connector.ssl.SSLCipherSuite = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DH
connector.ssl.SSLHonorCipherOrder=on

@Chris Vidler Our security team want enforce a regulation for only TLS 1.2 allowed in production environment. Can I limit CAS/ADS/RUMC/CSS use TLS 1.2 only by edit common.properties?

Thanks

YC

chris_v
Dynatrace Pro
Dynatrace Pro

@Yc Ma, yes. Simply change the connector.ssl.SSLProtocol line to be only TLSv1.2, e.g.

connector.ssl.SSLProtocol=TLSv1.2

Restart the CAS after the change for it to take effect.