In the light of discontinuing acceptance by browser of SHA-1 SSL certificates in 2017, what SHA-2 based ciphers suites will be supported by DC RUM? Currently, only a handful of ciphers at https://community.dynatrace.com/community/display/DCRUM123/SSL+Software+Support are showing as using SHA-2.
Solved! Go to Solution.
The problem around support isn't SHA2, but the DH/EC ciphers used.
It's impossible to decrypt the Diffie Helman and Eliptic Curve ciphers from a device that isn't either the client or the server (the AMD of course doesn't fit here). Even with the private keys, it's impossible to reconstruct the session key from only the network traffic.
RSA is supported, as with the keys you can reconstruct the session key from only the network traffic.
thank you for your answer.
there are quite a few RSA/MD5 suites using SHA algorithm (I assume it's SHA-1) currently decryptable by DC RUM.
What would happen once no more SHA-1 certificates are issued/accepted - the only decryptable ciphers will remain
AES128-SHA256 and AES256-SHA256 ? or am I misinterpreting something?
The list of cipher suites is standardised here: http://www.iana.org/assignments/tls-parameters/tls...
Taking that list and removing the unsupported options leaves us with:
Now there's a few extra there (the Camellia cipher).
But I think you may be confusing certificate requires vs. actual session encryption. The usage of SHA1 signatures in certificates will be phased out, there's no mention of phasing out it's usage for encryption of the session.
The AMD doesn't care about the certificate at all, it's not used in the decryption process, only the private key is. And as long as browsers/server still negotiate SHA1 connections the above list will remain valid.