864 views

list of supported TLS ciphers for SiteScope v11.23

Jump to solution

is the list of supported ciphers for SiteScope v11.23 documented somewhere?

I recent change in ciphers for a site caused our URL Sequence monitoer to fail.  the Load Balancer change modified to cipher list:

from:    'DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!MEDIUM'

to:        'DHE:ECDHE:!SHA:@SPEED'

which includes the following:

        ID  SUITE                            BITS PROT    METHOD  CIPHER   MAC     KEYX

0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA

1: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES      SHA384  ECDHE_RSA

2:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM  SHA384  EDH/RSA

3:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES      SHA256  EDH/RSA

4: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA

5: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES      SHA256  ECDHE_RSA

6:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM  SHA256  EDH/RSA

7:   103  DHE-RSA-AES128-SHA256            128  TLS1.2  Native  AES      SHA256  EDH/RSA

 however, the monitors started started to fail with 'handshake fialure' errors.  Suspect the new cipher is *not* supported.  trying to find out what the list of supported ciphers is, or why SiteScope would not support this change.

 

thanks,

Eric

Labels (1)
0 Likes
1 Solution

Accepted Solutions

To resolve this issue for SiS 11.23 LINUX, required *both* updated jars (local_policy.jar and US_export_policy.jar), and allowing at least 1 TLS1 and TLS1.1 cipher on the load balancer.

here is pointer to jars:

==

Stop SiteScope

Download the local_policy.jar and US_export_policy.jar from the link
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

Copy the jars to the location SiteScope/java/lib/security  (take backup copies first)

Restart SiteScope

==

View solution in original post

0 Likes
6 Replies
Admiral Admiral
Admiral

Hello

I went through our internal database, and seems that these are the ciphers supported by SiteScope:

KexAlgorithms: diffie-hellman-group1-sha1, curve25519-sha256@libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1

Hope this helps.

Regards,

Allan D.

Allan Delgado Calderon
Customer Support Engineer

If you find that this or any other post resolves your issue, please be sure to mark it as an accepted solution.
If you are satisfied with anyone’s response please remember to give them a KUDOS by clicking on the STAR at the bottom left of the post and show your appreciation.
0 Likes
Admiral Admiral
Admiral

You can also check below forum link:

/t5/Application-Perf-Mgmt-BAC-BSM/URL-monitor-HandShake-Exception/td-p/6683333

Regards,

Allan D.

Allan Delgado Calderon
Customer Support Engineer

If you find that this or any other post resolves your issue, please be sure to mark it as an accepted solution.
If you are satisfied with anyone’s response please remember to give them a KUDOS by clicking on the STAR at the bottom left of the post and show your appreciation.
0 Likes

thanks for the list of ciphers. i will see if the application team can adjust to that list.

regarding the reference to the other post and 'handshake failure' (

/t5/Application-Perf-Mgmt-BAC-BSM/URL-monitor-HandShake-Exception/td-p/6683333

),  it mentions using "WinInet".  I wanted to try that as well, however I am running SiteScope on LINUX (not Windows), and WinInet is only supported on Windows SiteScope.  Is there some other workaround for LINUX SiteScope instances? 

0 Likes
Micro Focus Expert
Micro Focus Expert

For Linux, perhaps upgrading to the latest SiteScope should give more options?

FYI.

(SiS) Support Tip : Debugging Java SSL/TLS

Regards,

0 Likes
Admiral Admiral
Admiral

Hey,

somewhere in the back of my head I have a memory of SiS 11.2x not supporting TLS1.2
I do recall that being one of the reasons for a needed 11.3x switch - my guys also did some LB changes(security related) which resulted in connection errors with 11.24.
I'd suggest to look into that option, or setup a quick and dirty 11.3x installation and check, the community edition does not need any licenses.

regards

0 Likes

To resolve this issue for SiS 11.23 LINUX, required *both* updated jars (local_policy.jar and US_export_policy.jar), and allowing at least 1 TLS1 and TLS1.1 cipher on the load balancer.

here is pointer to jars:

==

Stop SiteScope

Download the local_policy.jar and US_export_policy.jar from the link
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

Copy the jars to the location SiteScope/java/lib/security  (take backup copies first)

Restart SiteScope

==

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.