cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL traffic mostly not decrypted.

I know this question has been asked before in the forum(the link below):

https://answers.dynatrace.com/questions/152538/tra...

But my case might be a little different, it is not that it doesn't work in the first place. Instead, suddenly the traffic is not getting decrypted anymore, the certificate will only expired in another month, so it isn't SSL key expired.

My symptom is almost the same as the case above though, which is in the RUM Console I can see most of the SSL error belongs to unsupported cipher, but I am not sure whether there is this high percentage of unsupported cipher back then when it was running fine.

On a sidenote, I look at other HTTPS/SSL software services which are running fine all this while, they also seems to show quite percentage of unsupported cipher.

The AMD is of version 12.3.7.

6 REPLIES 6

jean_louis_lorm
Dynatrace Pro
Dynatrace Pro

Hello

unsupported cipher often means Diffie Hellman (DH).

The cipher has probably changed, either after the server web migration or after an upgrade of all the browser version,

Have a look to theSSL Decryption Troubleshooting Guid:

https://community.dynatrace.com/community/display/...

Regards,

JLL

If there is indeed web server migration or upgrade of browser, the traffic should not able be decrypted anymore I assume?

Or is there a possibility that sometimes, some of them can be decrypted?

Hello Wai,

As Jean-Louis stated above, in case the monitored traffic uses any of the Diffie-Hellman cipher it is not possible to decrypt the traffic by the AMD alone. If this is the case and you still see some of the individual clients traffic being decrypted this is likely due to users using older browser versions without the support for DH (if the use of non-DH ciphers is supported at all).

Thank you guys, that did clear my doubt.

The upgrade of AMD (as well as other DCRUM component) from 12.3 to 12.4 would be carry out soon, until then, let me see what else I can do. Thanks for the answerss posted

matthew_eisengr
Inactive

Wai,

As you push for a 12.4 upgrade, be sure to target 12.4.10 release as it introduced the ability to see what cipher is being chosen. This should clear up any doubt as to what client is using what cipher and if it is Diffie-Hellman or not.

Thanks Matt, I believe this feature would come in handy.