Idea ID: 2686370

RUM - Add capbility to monitor applications based on TLS1.3

Status : Accepted
over 1 year ago

Since more & more buz apps are using TLS1.3 (Transport Layer Security), RUM should be able to monitor such apps well.

  • Hello MF,

    May I know why still BSM/APM 9.51 version is not supporting TLS 1.3 for https transaction?

    As I see MF product every quarterly upgrading version of every product however compatibilities not checking by development team.

    Till the time in next version you update TLS 1.3 version kindly suggest some alternate to https data without cipher key.

    Regards,

    Sanjay

  • Hi Anthony,
    Thanks for your hint.
    Unfortunately my customer does not have a Load Balancer in between (so far).
    Regards,

    Patrik
  • One way to over come this issue is to use a load balancer that takes over the security certificate management , leaving the back end to do its work , then just tap the connection between the Load balancer and the web frontend . Problem solved .

     

  • Thanks for submitting this idea. For RUM, to support applications that use TLS 1.3 somewhere in the chain of servers that receive user requests, we suggest deployment architectures that allow for RUM Sniffer’s Man-in-the-middle monitoring (for example, setup a monitoring segment without TLS 1.3 in the chain of servers) or use RUM CM Probe or use TCP level monitoring.

    We plan to provide documentation with best practices to monitor applications that use TLS 1.2 with DH ciphers or TLS 1.3.

    The technical reason RUM Sniffer would not decrypt TLS 1.3 traffic is because the protocol mandates DH ciphers. DH inherently blocks the Man-in-the-middle approach to monitoring employed by RUM Sniffer.