cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Support for SSL cipher suites using SHA-2

yuri_v
Newcomer

In the light of discontinuing acceptance by browser of SHA-1 SSL certificates in 2017, what SHA-2 based ciphers suites will be supported by DC RUM? Currently, only a handful of ciphers at https://community.dynatrace.com/community/display/DCRUM123/SSL+Software+Support are showing as using SHA-2.

4 REPLIES 4

chris_v
Dynatrace Pro
Dynatrace Pro

The problem around support isn't SHA2, but the DH/EC ciphers used.

It's impossible to decrypt the Diffie Helman and Eliptic Curve ciphers from a device that isn't either the client or the server (the AMD of course doesn't fit here). Even with the private keys, it's impossible to reconstruct the session key from only the network traffic.

RSA is supported, as with the keys you can reconstruct the session key from only the network traffic.

yuri_v
Newcomer

hi Chris

thank you for your answer.

DH aside,

there are quite a few RSA/MD5 suites using SHA algorithm (I assume it's SHA-1) currently decryptable by DC RUM.

What would happen once no more SHA-1 certificates are issued/accepted - the only decryptable ciphers will remain

AES128-SHA256 and AES256-SHA256 ? or am I misinterpreting something?

chris_v
Dynatrace Pro
Dynatrace Pro

The list of cipher suites is standardised here: http://www.iana.org/assignments/tls-parameters/tls...

Taking that list and removing the unsupported options leaves us with:





TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_WITH_RC4_128_MD5


TLS_RSA_WITH_RC4_128_SHA


TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5


TLS_RSA_EXPORT_WITH_DES40_CBC_SHA


TLS_RSA_WITH_DES_CBC_SHA


TLS_RSA_WITH_3DES_EDE_CBC_SHA


TLS_RSA_WITH_AES_128_CBC_SHA


TLS_RSA_WITH_AES_256_CBC_SHA


TLS_RSA_WITH_AES_128_CBC_SHA256


TLS_RSA_WITH_AES_256_CBC_SHA256


TLS_RSA_WITH_CAMELLIA_128_CBC_SHA


TLS_RSA_WITH_CAMELLIA_256_CBC_SHA


TLS_RSA_WITH_AES_128_GCM_SHA256


TLS_RSA_WITH_AES_256_GCM_SHA384


TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256


TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256


TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256


TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384

Now there's a few extra there (the Camellia cipher).

But I think you may be confusing certificate requires vs. actual session encryption. The usage of SHA1 signatures in certificates will be phased out, there's no mention of phasing out it's usage for encryption of the session.

The AMD doesn't care about the certificate at all, it's not used in the decryption process, only the private key is. And as long as browsers/server still negotiate SHA1 connections the above list will remain valid.

yuri_v
Newcomer

Chris, thank you for the additional list and explanation.