Idea ID: 1791541

Traffic decryption RUM should support Diffie Hellman cipher

Status : Waiting for Votes
Waiting for Votes
See status update history
over 2 years ago

As considered in RUM 9.51 that is able to support Diffie Hellman running on TLS 1.2 with Apache and RHEL, I think should be great if we also give same capabilities to RUM Agent running on Windows to support such cipher for IIS.

Also would be great if we support more OS and Web/App Servers flavors that uses same encryption methods.

Thanks to review the scope of this features/capabilities.

 

  • Hi Pablo,

    Hope you are doing fine.

    Have you found any solution to handle diffie hellman?

    kindly suggest we are facing the same issue.

    Regards

  • IIS is not supported as of today. Currently there are the following alternatives available for DH in RUM.

    1. Use TCP monitoring instead of HTTP  monitoring
    2. Use non-DH ciphers only or demote DH ciphers (i.e. use DH only if client provides no other options)
    3. Terminate SSL prior to mirrored point on the network (i.e. terminate on LB/RP and mirror web-server traffic for monitoring) so Sniffer receives HTTP traffic instead of HTTPs
    4. Use Client Monitor probe instead of Sniffer probe.

    Supporting DH on different web servers and operating systems has increased monitoring deployment complexity  compared with the % of user traffic that uses DH and lower capacity.

    Please let us know if you want more details for any of the above alternatives.

    In addition we need the exact IIS / Windows version / Customer name (can sent as private message) as well as the % of user traffic that exchanges keys via DH

     

    Thanks