cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unsupported feature (Cipher). Unsupported cipher or wrong key or configuration?

Hello,

We have some strange situation. There is a defined Software service that is working by https. Customer provided SSL key from the server, but we see the following situation on RUM Console:

But, with this big number of errors we still see lot of users, but surely not everyone of them:

For some users that are using the applications we only see ip adress without any operational data:

The key was exported using the following command:

openssl
genrsa -des3 -out server.key 1024

And the ssl config on server is:

<IfModule ssl_module>

SSLRandomSeed
startup builtin


SSLRandomSeed connect builtin


SSLCertificateFile custom/cert/sd_rt_ru.crt


SSLCertificateKeyFile custom/cert/sd_rt_ru.pem


SSLProtocol all -SSLv3


SSLCipherSuite HIGH:!aNULL:!MD5


SSLOptions +StrictRequire

</IfModule>

So, i would like to know if the Cipher is not supported by AMD or there is something wrong with the key or cnfiguration.

RHEL 5, v.12.3.7

Thanks,

9 REPLIES 9

raffaele_talari
Inactive

Hi Alexander,

to see which ciphers are currently detected in your traffic and possibly not decrypted use the following command from the AMD terminal:

rcmd show ssldecr status

With that command you can check the status of your SSL traffic decryption, while with the following command:

rcmd show ssldecr ciphers

you'll have the list of the currently detected ciphers with a check if they're supported or not.

Please take a look at this page where you have the complete list of supported SSL ciphers for DCRUM 12.3:

https://community.dynatrace.com/community/display/...

(my guess is that you're using any of the DiffieHellman ciphers, in that case read this: https://community.dynatrace.com/community/pages/vi...)

Two additional really helpful commands are:

rcmd show ssldecr keys

and

rcmd show ssldecr servers

that will give you the status of the currently recognized keys and SSL servers.

Hope it helped you.

Ciao, Raffaele

You can also check the SSL Troubleshooting Guide

Keep calm and build Community!

Hi Raffaele,

Thanks for your reply, i have no deep knowladge about ssl decriptions, but here are the result i could see with commands you provided:

 rcmd show ssldecr status
SSL DECRYPTION STATUS:
CONFIGURATION: Engine:openssl(thread) status:OK
Keys recognized=2 not recognized=0
Engine states: blocked=0, initializations=1
SESSIONS:
Total number of sessions=4697341 (inProgress=211 Finished=4697130)
SSL protocol version breakdown per number of sessions:
supported versions: ssl3.0=7 tls1.0=2866174 tls1.1=10625 tls1.2=1790803
unsupported versions: ssl2.0=0 other versions=0 no versio n info=29727
Long handshakes=101474 Short handshakes=2130674 Compressed sessions =0 SessionTkt reused=16 SessionId reused=4259941
Finished sessions decrypted with no errors=2229123 (47% of all fini shed sessions)
Sessions in progress decrypting with no errors=203 (96% of all sess ions in progress)
Finished sessions decrypted partially=56 (0% of all finished sessio ns)
with a packet lost during payload data exchange=56
with a corrupted payload data packet=0
with decryption failed during payload data exchange=0
terminated by alert during payload data exchange=0
Finished sessions not decrypted=2467927 (52% of all finished sessio ns)
with no private key found=34 (new sessions=34 reused sess ions=0)
with a packet lost during handshake=10 (new sessions=10 r eused sessions=0)
with a corrupted handshake packet or incorrect handshake sequence=6 (new sessions=6 reused sessions=0)
with decryption broken during handshake=0 (new sessions=0 reused sessions=0)
with unsupported SSL version=0 (ssl2.0=0 otherVersions=0)
with unsupported SSL feature=2435461 (unsupported cipher= 2435461 server key exchange=0)
with compression errors=0 (unsupported compression=0, can not decompress control records=0 data records=0)
with RSA decryption failed=0, RSA invocations blocked=0 ( new sessions=0 reused sessions=0)
reused sessions with no matching master session seen befo re=109
with incomplete SSL handshake=1509 (new sessions=1509 reu sed sessions=0)
closed without data=29626
with invalid 'Hello' packet client=0, server=0
terminated by alert during handshake=31
reuse errors when PMS identified with session id=102, wit h session ticket=0
session not seen from the beginning=19
with other errors=1122
Supplemental Data detected, server=0 client=0
CERTIFICATES:
total server-certificate pairs=5
parsed properly=5 (matched=3 matching failed=2 not used=0)
parsing errors=0 (decode=0 extract=0 RSAerror=0)
RSA DECRYPTOR INTERNAL DIAGNOSTICS:
init/init errors (i=)100124/0
finalize/finalize errors (f=)100124/0
cancel/cancel errors (c=)0/0
parallel curr/avg/max (p=)0/1/6
find key for cert init/fini/cancel/matched(f=)4/4/0/2
decryption finalize timeout=0
PMS CACHE INTERNAL DIAGNOSTICS:
entries added (a=)141035 (asInitialized=100115 asUninitialized=11 w ithErrorCode=40909)
entries changed (c=)117 (toInitialized=8 toUninitialized=0 toError= 109)
entries deleted (d=)133117
total entries in cache (n=)9818
SESSIONS ON HOLD DIAGNOSTICS:
total: 12 max: 3 current: 0
PMS found: 5 not found: 7


 rcmd show ssldecr ciphers
SSL cipher-suites status:
+ SSL3-RSA-RSA-NONE-0-MD5 id=01 kex=RSA sig=RSA enc=NONE dig=MD5 lib-supp=Y ref=0
+ SSL3-RSA-RSA-NONE-0-SHA id=02 kex=RSA sig=RSA enc=NONE dig=SHA lib-supp=Y ref=0
* SSL3-RSA_EXP-RSA-RC4-40-MD5 id=03 kex=RSA_EXP sig=RSA enc=RC4 dig=MD5 lib-supp=Y ref=0
+ SSL3-RSA-RSA-RC4-128-MD5 id=04 kex=RSA sig=RSA enc=RC4 dig=MD5 lib-supp=Y ref=1
+ SSL3-RSA-RSA-RC4-128-SHA id=05 kex=RSA sig=RSA enc=RC4 dig=SHA lib-supp=Y ref=0
- SSL3-RSA_EXP-RSA-RC2-40-SHA id=06 kex=RSA_EXP sig=RSA enc=RC2 dig=SHA lib-supp=Y ref=0
- SSL3-RSA-RSA-IDEA-128-SHA id=07 kex=RSA sig=RSA enc=IDEA dig=SHA lib-supp=N ref=0
* SSL3-RSA_EXP-RSA-DES-40-SHA id=08 kex=RSA_EXP sig=RSA enc=DES dig=SHA lib-supp=Y ref=0
+ SSL3-RSA-RSA-DES-56-SHA id=09 kex=RSA sig=RSA enc=DES dig=SHA lib-supp=Y ref=0
+ SSL3-RSA-RSA-DES3-168-SHA id=0A kex=RSA sig=RSA enc=DES3 dig=SHA lib-supp=Y ref=461532
- SSL3-DH-DSS-DES-40-SHA id=0B kex=DH sig=DSS enc=DES dig=SHA lib-supp=Y ref=0
- SSL3-DH-DSS-DES-56-SHA id=0C kex=DH sig=DSS enc=DES dig=SHA lib-supp=Y ref=0
- SSL3-DH-DSS-DES3-168-SHA id=0D kex=DH sig=DSS enc=DES3 dig=SHA lib-supp=Y ref=0
- SSL3-DH-RSA-DES-40-SHA id=0E kex=DH sig=RSA enc=DES dig=SHA lib-supp=Y ref=0
- SSL3-DH-RSA-DES-56-SHA id=0F kex=DH sig=RSA enc=DES dig=SHA lib-supp=Y ref=0
- SSL3-DH-RSA-DES3-168-SHA id=10 kex=DH sig=RSA enc=DES3 dig=SHA lib-supp=Y ref=0
- SSL3-DH-DSS-DES-40-SHA id=11 kex=DH sig=DSS enc=DES dig=SHA lib-supp=Y ref=0
- SSL3-DH-DSS-DES-56-SHA id=12 kex=DH sig=DSS enc=DES dig=SHA lib-supp=Y ref=0
- SSL3-DH-DSS-DES3-168-SHA id=13 kex=DH sig=DSS enc=DES3 dig=SHA lib-supp=Y ref=0
- SSL3-DH-RSA-DES-40-SHA id=14 kex=DH sig=RSA enc=DES dig=SHA lib-supp=Y ref=0
- SSL3-DH-RSA-DES-56-SHA id=15 kex=DH sig=RSA enc=DES dig=SHA lib-supp=Y ref=0
- SSL3-DH-RSA-DES3-168-SHA id=16 kex=DH sig=RSA enc=DES3 dig=SHA lib-supp=Y ref=3
- SSL3-DH-NONE-RC4-40-MD5 id=17 kex=DH sig=NONE enc=RC4 dig=MD5 lib-supp=Y ref=0
- SSL3-DH-NONE-RC4-128-MD5 id=18 kex=DH sig=NONE enc=RC4 dig=MD5 lib-supp=Y ref=0
- SSL3-DH-NONE-DES-40-MD5 id=19 kex=DH sig=NONE enc=DES dig=MD5 lib-supp=Y ref=0
- SSL3-DH-NONE-DES-56-MD5 id=1A kex=DH sig=NONE enc=DES dig=MD5 lib-supp=Y ref=0
- SSL3-DH-NONE-DES3-168-MD5 id=1B kex=DH sig=NONE enc=DES3 dig=MD5 lib-supp=Y ref=0
+ TLS1.0-RSA-RSA-AES-128-CBC-128-SHA id=2F kex=RSA sig=RSA enc=AES-128-CBC dig=SHA lib-supp=Y ref=1611829
- TLS1.0-DH-DSS-AES-128-CBC-128-MD5 id=30 kex=DH sig=DSS enc=AES-128-CBC dig=MD5 lib-supp=Y ref=0
- TLS1.0-DH-RSA-AES-128-CBC-128-MD5 id=31 kex=DH sig=RSA enc=AES-128-CBC dig=MD5 lib-supp=Y ref=0
- TLS1.0-DH-DSS-AES-128-CBC-128-MD5 id=32 kex=DH sig=DSS enc=AES-128-CBC dig=MD5 lib-supp=Y ref=0
- TLS1.0-DH-RSA-AES-128-CBC-128-MD5 id=33 kex=DH sig=RSA enc=AES-128-CBC dig=MD5 lib-supp=Y ref=2819
- TLS1.0-DH-RSA-AES-128-CBC-128-MD5 id=34 kex=DH sig=RSA enc=AES-128-CBC dig=MD5 lib-supp=Y ref=0
+ TLS1.0-RSA-RSA-AES-256-CBC-256-SHA id=35 kex=RSA sig=RSA enc=AES-256-CBC dig=SHA lib-supp=Y ref=18495
- TLS1.0-DH-DSS-AES-256-CBC-256-MD5 id=36 kex=DH sig=DSS enc=AES-256-CBC dig=MD5 lib-supp=Y ref=0
- TLS1.0-DH-RSA-AES-256-CBC-256-MD5 id=37 kex=DH sig=RSA enc=AES-256-CBC dig=MD5 lib-supp=Y ref=0
- TLS1.0-DH-DSS-AES-256-CBC-256-MD5 id=38 kex=DH sig=DSS enc=AES-256-CBC dig=MD5 lib-supp=Y ref=0
- TLS1.0-DH-RSA-AES-256-CBC-256-MD5 id=39 kex=DH sig=RSA enc=AES-256-CBC dig=MD5 lib-supp=Y ref=1911
- TLS1.0-DH-RSA-AES-256-CBC-256-MD5 id=3A kex=DH sig=RSA enc=AES-256-CBC dig=MD5 lib-supp=Y ref=0
+ TLS1.2-RSA-RSA-NONE-0-SHA256 id=3B kex=RSA sig=RSA enc=NONE dig=SHA256 lib-supp=Y ref=0
+ TLS1.2-RSA-RSA-AES-128-CBC-128-SHA256 id=3C kex=RSA sig=RSA enc=AES-128-CBC dig=SHA256 lib-supp=Y ref=141183
+ TLS1.2-RSA-RSA-AES-256-CBC-256-SHA256 id=3D kex=RSA sig=RSA enc=AES-256-CBC dig=SHA256 lib-supp=Y ref=302
- TLS1.2-DH-DSS-AES-128-CBC-128-SHA256 id=3E kex=DH sig=DSS enc=AES-128-CBC dig=SHA256 lib-supp=Y ref=0
- TLS1.2-DH-RSA-AES-128-CBC-128-SHA256 id=3F kex=DH sig=RSA enc=AES-128-CBC dig=SHA256 lib-supp=Y ref=0
- TLS1.2-DH-DSS-AES-128-CBC-128-SHA256 id=40 kex=DH sig=DSS enc=AES-128-CBC dig=SHA256 lib-supp=Y ref=0
- TLS1.0-RSA-RSA-CAMELLIA-128-CBC-128-SHA id=41 kex=RSA sig=RSA enc=CAMELLIA-128-CBC dig=SHA lib-supp=N ref=0
- TLS1.0-DH-DSS-CAMELLIA-128-CBC-128-SHA id=42 kex=DH sig=DSS enc=CAMELLIA-128-CBC dig=SHA lib-supp=N ref=0
- TLS1.0-DH-RSA-CAMELLIA-128-CBC-128-SHA id=43 kex=DH sig=RSA enc=CAMELLIA-128-CBC dig=SHA lib-supp=N ref=0
- TLS1.0-DH-DSS-CAMELLIA-128-CBC-128-SHA id=44 kex=DH sig=DSS enc=CAMELLIA-128-CBC dig=SHA lib-supp=N ref=0
- TLS1.0-DH-RSA-CAMELLIA-128-CBC-128-SHA id=45 kex=DH sig=RSA enc=CAMELLIA-128-CBC dig=SHA lib-supp=N ref=0
- TLS1.0-DH-NONE-CAMELLIA-128-CBC-128-SHA id=46 kex=DH sig=NONE enc=CAMELLIA-128-CBC dig=SHA lib-supp=N ref=0
* TLS1.0-RSA_EXP-RSA-RC4-56-MD5 id=60 kex=RSA_EXP sig=RSA enc=RC4 dig=MD5 lib-supp=Y ref=0
- TLS1.0-RSA_EXP-RSA-RC2-56-MD5 id=61 kex=RSA_EXP sig=RSA enc=RC2 dig=MD5 lib-supp=Y ref=0
* TLS1.0-RSA_EXP-RSA-DES-56-SHA id=62 kex=RSA_EXP sig=RSA enc=DES dig=SHA lib-supp=Y ref=0
- TLS1.0-DH-DSS-DES-56-SHA id=63 kex=DH sig=DSS enc=DES dig=SHA lib-supp=Y ref=0
* TLS1.0-RSA_EXP-RSA-RC4-56-SHA id=64 kex=RSA_EXP sig=RSA enc=RC4 dig=SHA lib-supp=Y ref=0
- TLS1.0-DH-DSS-RC2-56-SHA id=65 kex=DH sig=DSS enc=RC2 dig=SHA lib-supp=Y ref=0
- TLS1.0-DH-DSS-RC4-128-SHA id=66 kex=DH sig=DSS enc=RC4 dig=SHA lib-supp=Y ref=0
- TLS1.2-DH-RSA-AES-128-CBC-128-SHA256 id=67 kex=DH sig=RSA enc=AES-128-CBC dig=SHA256 lib-supp=Y ref=0
- TLS1.2-DH-DSS-AES-256-CBC-256-SHA256 id=68 kex=DH sig=DSS enc=AES-256-CBC dig=SHA256 lib-supp=Y ref=0
- TLS1.2-DH-RSA-AES-256-CBC-256-SHA256 id=69 kex=DH sig=RSA enc=AES-256-CBC dig=SHA256 lib-supp=Y ref=0
- TLS1.2-DH-DSS-AES-256-CBC-256-SHA256 id=6A kex=DH sig=DSS enc=AES-256-CBC dig=SHA256 lib-supp=Y ref=0
- TLS1.2-DH-RSA-AES-256-CBC-256-SHA256 id=6B kex=DH sig=RSA enc=AES-256-CBC dig=SHA256 lib-supp=Y ref=40
- TLS1.2-DH-NONE-AES-128-CBC-128-SHA256 id=6C kex=DH sig=NONE enc=AES-128-CBC dig=SHA256 lib-supp=Y ref=0
- TLS1.2-DH-NONE-AES-256-CBC-256-SHA256 id=6D kex=DH sig=NONE enc=AES-256-CBC dig=SHA256 lib-supp=Y ref=0
- TLS1.0-RSA-RSA-CAMELLIA-256-CBC-256-SHA id=84 kex=RSA sig=RSA enc=CAMELLIA-256-CBC dig=SHA lib-supp=N ref=0
- TLS1.0-DH-DSS-CAMELLIA-256-CBC-256-SHA id=85 kex=DH sig=DSS enc=CAMELLIA-256-CBC dig=SHA lib-supp=N ref=0
- TLS1.0-DH-RSA-CAMELLIA-256-CBC-256-SHA id=86 kex=DH sig=RSA enc=CAMELLIA-256-CBC dig=SHA lib-supp=N ref=0
- TLS1.0-DH-DSS-CAMELLIA-256-CBC-256-SHA id=87 kex=DH sig=DSS enc=CAMELLIA-256-CBC dig=SHA lib-supp=N ref=0
- TLS1.0-DH-RSA-CAMELLIA-256-CBC-256-SHA id=88 kex=DH sig=RSA enc=CAMELLIA-256-CBC dig=SHA lib-supp=N ref=298
- TLS1.0-DH-NONE-CAMELLIA-256-CBC-256-SHA id=89 kex=DH sig=NONE enc=CAMELLIA-256-CBC dig=SHA lib-supp=N ref=0
- TLS1.0-RSA-RSA-SEED-CBC-128-SHA id=96 kex=RSA sig=RSA enc=SEED-CBC dig=SHA lib-supp=N ref=0
- TLS1.0-DH-DSS-SEED-CBC-128-SHA id=97 kex=DH sig=DSS enc=SEED-CBC dig=SHA lib-supp=N ref=0
- TLS1.0-DH-RSA-SEED-CBC-128-SHA id=98 kex=DH sig=RSA enc=SEED-CBC dig=SHA lib-supp=N ref=0
- TLS1.0-DH-DSS-SEED-CBC-128-SHA id=99 kex=DH sig=DSS enc=SEED-CBC dig=SHA lib-supp=N ref=0
- TLS1.0-DH-RSA-SEED-CBC-128-SHA id=9A kex=DH sig=RSA enc=SEED-CBC dig=SHA lib-supp=N ref=0
- TLS1.0-DH-NONE-SEED-CBC-128-SHA id=9B kex=DH sig=NONE enc=SEED-CBC dig=SHA lib-supp=N ref=0
- TLS1.2-RSA-RSA-aes-128-gcm-128-SHA256 id=9C kex=RSA sig=RSA enc=aes-128-gcm dig=SHA256 lib-supp=N ref=1661
- TLS1.2-RSA-RSA-aes-256-gcm-256-SHA384 id=9D kex=RSA sig=RSA enc=aes-256-gcm dig=SHA384 lib-supp=N ref=8
ignored cipher-suites:
C013:7500
C014:794929
009E:10318
009F:1918
C028:693445
C02F:913595
C030:11251
 rcmd show ssldecr keys
Configuration of SSL private keys:
<key: app.key, type: file, size: 2048, status: OK (matched)>
<key: sd_rt_ru.pem, type: file, size: 1024, status: OK (matched)>
Keys total: 2, ok: 2, failed: 0, matched: 2


rcmd show ssldecr servers
Configuration for SSL servers:
<server: **.**.1.191(25), certs seen: 1, keys used: 0, status: key(s) missing>
<cert: [/DC=ru/DC=rt/DC=ks/CN=Computers/CN=*********] sent: 33, key: ?> cert sessions seen: 33
<server: **.**.16.151(443), certs seen: 1, keys used: 1, status: key(s) found>
<cert: [/C=RU/ST=Msk/L=Msk/O=RT/OU=********/CN=sd.**.**/emailAddress=sm_admin@**.**] sent: 31705, key: sd_rt_ru.pem> cert sessions seen: 31705
<server: **.*.10.140(443), certs seen: 1, keys used: 1, status: key(s) found>
<cert: [/C=RU/ST=MSK/L=MOSCOW/O=*******/OU=IT /CN=*.**.**/emailAddress=support@**.**] sent: 68752, key: app.key> cert sessions seen: 33099
<server: **.*.10.78(25), certs seen: 1, keys used: 0, status: key(s) missing>
<cert: [/C=RU/ST=Moscow/L=Moscow/O=PJSC ********/OU=IT Department/CN=mail.********.**] sent: 1, key: ?> cert sessions seen: 1
<server: 10.2.10.141(443), certs seen: 1, keys used: 1, status: key(s) found>
<cert: [/C=RU/ST=MSK/L=MOSCOW/O=*********/OU=IT /CN=*.**.**/emailAddress=support@**.**] sent: 68752, key: app.key> cert sessions seen: 35653
Servers total: 5, keys required: 5, keys found: 3, keys missing: 2


is ref= iquals to number of sessions we get using different ciphers?

How can i know if it is DiffieHellman ciphers? it's strange for me that we see part of decripted sessions, and the other part no...

Hi Alexander,

from the first command you've executed you can see that you have many ssl sessions not decrypted due to unsupported SSL ciphers:

with unsupported SSL feature=2435461(unsupported cipher=2435461 server key exchange=0)

from the second command you can see the list of unsupported ciphers with the initial "-" character. If you see a number different from 0 in the ref field at the end of the line there are ssl session recognized for that unsupported cipher. In your case you have several different unsupported ciphers and some ciphers not recognized by dynatrace. Please check the list in order to troubleshoot it.

To know if it is a DiffieHellman cipher check if the name contains DH characters. Whenever there's DH, you're sure it's a DiffiHellman cipher. (check also ECDHE and ECDH)

Ciao, Raffaele

chris_v
Dynatrace Pro
Dynatrace Pro

From your output of SHOW SSLDECR CIPHERS.

the ref count is exaclty what you suspect, the number of sessions seen with that cipher suite in use.

There's a lot there with supported ciphers - why you are seeing data in the CAS.

But there's also a lot there with unsupported or unknown chipers - why you're seeing so many errors as well.

See the "ignored cipher suites" list at the bottom, they are all in use, but unsupported by the AMD.

The cipher suite name, tells you what has Diffie Helman (DH / DHE) or Elliptic Curve (ECDHE / ECDH) in them, which we can't support.

I also note you're running RHEL5, the openssl support on RHEL5 is VERY old and you'll be missing out on supported ciphers we could support, with a newer platform (RHEL6). It won't fix any Diffie Helman or Elliptic Curve ciphers (that's mathematically impossible to decode from a on the wire point like the AMD).

ulf_thornander3
Inactive

If you have DH in the network, you can always consider moving your capture point behind the point where the key is managed (Firewall or Loadbalancer?)

And don't forget you need to see the start of the session so if you have very long running sessions, you will still not see anything until they do a new handshake.

Hi All,

Thanks for the reply, but i'm still little confused.

We have on AMD a copy of traffic from one of the main Cisco network device, so we have some traffic that we don't need to monitor. On this traffic probably there are encrypted sessions that comes with the span we need to monitor.

The question now is about 1 unique server, which is a load balancer for an application. The client exported the key, but we dont see part of the users. Is that possible that different group of users can use different ciphers with one SSL key when they access to the applications?

Using "rcmd show ssldecr ciphers" as i understand we see ciphers from all traffic we see on AMD, can we do a filter by IP or Software Service??

Should i try to pass this traffic to other amd with rhel 6? or it will not help ?

@Ult,

It is loadbalancer before entering Virtual Enviroment. For now there is no possibility to get traffic from inside.

@Rafaelle,

I did a summ of =ref with "-" from "rcmd show ssldecr ciphers" and i don't get such big numbers. The biggest are this three, but they are with "+":

+ SSL3-RSA-RSA-DES3-168-SHA id=0A kex=RSA sig=RSA enc=DES3 dig=SHA lib-supp=Y ref=461532

+ TLS1.2-RSA-RSA-AES-128-CBC-128-SHA256 id=3C kex=RSA sig=RSA enc=AES-128-CBC dig=SHA256 lib-supp=Y ref=141183

+ TLS1.0-RSA-RSA-AES-128-CBC-128-SHA id=2F kex=RSA sig=RSA enc=AES-128-CBC dig=SHA lib-supp=Y ref=1611829

Hi Alexander,

you're right about the ref sum of the unsupported ciphers but consider the big numbers of the ignored ciphers:

  1. C013:7500
  2. C014:794929
  3. 009E:10318
  4. 009F:1918
  5. C028:693445
  6. C02F:913595
  7. C030:11251

The number right after the semicolon is the equivalent of the ref count.

Here you'll find some of the ignored ciphers specs:

https://cc.dcsec.uni-hannover.de/

Hope it helps.

Ciao, Raffaele

Another link with (even some more) Cipher suite definitions:

http://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.gska100/csdcwh.htm