question

Cesar Q. avatar image
Cesar Q. asked ·

What Versions of TLS does Dynatrace 6.1 use?

Can someone provide a way to look up the versions of TLS version 6.1 of Dynatrace AppMon uses? I don't see it anywhere in the documentation.

Thanks!

appmonconfigurationservercollectorsecurity6.1
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Cesar Q. avatar image
Cesar Q. answered ·

I found the answer by testing a Dynatrace 6.1 Server installation using nmap as suggested in another forum (I'll link to it when I find it).

TL;DR: Dynatrace 6.1 supports TLS 1.0, TLS 1.1, and TLS 1.2.

First, install nmap. This test Dynatrace 6.1 environment was built on Cent OS 7.

yum install nmap

Then, run the ssl-enum-ciphers test. I had to dig around the bug reports for nmap to find the proper syntax, as other published syntaxes weren't working.

--script tells it you're running one of the nmap scripts. +ssl-enum-ciphers is the name of the script. -p is the port to scan, which Dynatrace defaults its SSL Collector port to 6699. And, you'll need the host name.

nmap --script +ssl-enum-ciphers -p 6699 localhost

Finally, this is the output you should see for Dynatrace version 6.1. All of the supported Cipher Suites are listed. If it's not shown, it's not supported:

Starting Nmap 6.40 ( <a href="http://nmap.org">http://nmap.org</a> ) at 2016-06-28 18:51 MST
Nmap scan report for localhost (127.0.0.1)
Host is up (1600s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT     STATE SERVICE
6699/tcp open  napster
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
1 comment Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

correct, with Dynatrace 6.1 we disabled SSLv2 and SSLv3 (as you can see in the log), but still allowed all TLS versions (1.0, 1.1 & 1.2) as there were no known attacks at that point in time.

with Dynatrace 6.2 we restricted this down to TLS 1.2 only, as there were already (theoretical) attacks against 1.0 and 1.1 (POODLE comes to my mind).

2 Likes 2 · ·
Ari P. avatar image
Ari P. answered ·

You can double check by looking at your server log file and looking for [SSLEnvironment] or [SSLSocketFactory]. I can't double check without looking at your log file but I believe we used TLS 1.0 in 6.1 (Its been 1.2 since 6.2)

Also, attached screenshot the part of the log file where you can find it.

Hope this helps,

Ari

tls.png


tls.png (9.9 KiB)
4 comments Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Hello Ari,

I could not get this tested in my Production environment, so I set up a quick throw-away environment. What I got was this:

[SSLEnvironment] Using SSL protocol version: TLS

Does that mean TLS 1.0?

0 Likes 0 · ·

There may be another entry which has more details as described here .

0 Likes 0 · ·

I think link may be to an internal forum. I'm getting access denied.

0 Likes 0 · ·

Sorry, my bad, Cesar.

The entry says

"Dynatrace uses TLS 1.2 since 6.2.

You can double check by having a look at the server log:

    INFO [DynaTraceSSLSocketFactory] creating ssl server-socket on localhost:2031with protocol version TLSv1.2"

    0 Likes 0 · ·