TIM shows SSL decode failures for TLS 1.x packets which use extension "Extended Master Secret" & TIM log contains message “Block size greater than Plaintext!"

Document ID:  TEC1926892
Last Modified Date:  07/18/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Application Performance Management

Releases

  • CA Application Performance Management:Release:10.5
  • CA Application Performance Management:Release:10.3
  • CA Application Performance Management:Release:10.2
  • CA Application Performance Management:Release:10.1
  • CA Application Performance Management:Release:10.0
  • CA Application Performance Management:Release:9.7
  • CA Application Performance Management:Release:CA APM 9.7
  • CA Application Performance Management:Release:9.6.1
  • CA Application Performance Management:Release:9.6

Components

  • CUSTOMER EXPERIENCE MANAGER:APMCM
Symptoms:

The TIM is showing SSL decode failures for TLS 1.x traffic which has the "Extended Master Secret" TLS extension enabled. Research shows:

Environment:
APM TIM 9.x, 10.x
Cause:

The TIM does not support the Extended Master Secret (EMS) extension. Typical implementations are:

1. Microsoft IIS web servers are being used and a Microsoft security update 3081320 has been applied which enables the Extended Master Secret extension for all TLS versions: Microsoft Security Bulletin MS15-121 - Important > Security Update for Schannel to Address Spoofing (3081320)

2. An F5 Load Balancer is being used which has Extended Master Secret enabled.

Workaround:

To workaround the problem Extended Master Secret needs to be disabled:

1. The security update 3081320 needs to be uninstalled or disabled via a registry update: MS15-121: Security update for Schannel to address spoofing: November 10, 2015

2. Disable Extended Master Secret on the F5 Load Balancer: AskF5 Home > K66202244 > K66202244: Support for RFC 7627 extended master secret extension

Additional Information:

A new platform is being developed for the TIM which will be more flexible and will allow the option of receiving unencrypted data directly from the web servers via a plugin extension. The first release will be tentatively available at end of calendar year 2017.

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing