My client migrated from 6.2 -> 6.5, but the URL Monitors hitting "https" sites (VIPs) are no longer working. I have tried to turn on and off the "disable ssl cert validation" option, but this does not fix the problem. The sites use SHA-1 encryption which is getting phased out by Google and Microsoft next year.
Is there any way to force the collector to accept SHA-1 encrypted connections over https?
The error reads:
"Connection failed: DynaTraceHttpClientException: Exception was thrown while executing a HTTP request Caused by: SSLException: Unsupported record version SSLv2Hello SSL handshake failed, this may be caused by an incorrect certificate. Check 'Disable certificate validation' parameter to override this."
It seems to be similar to the reported case: SUPDT-20709, which describes how the 6.3 collector using the Java 8 JRE no longer supports older encryption algorithms. SHA-1 is getting phased out next year, and I think that this is the reason for which the 6.5 collectors (also using JRE 8) are unable to hit the SSL sites.
Like the support team suggests, How would a proxy server be used as a workaround?
Any insight or workaround for this issue is welcomed, as it may prevent my client from migrating to 6.5 until they can upgrade all the SSL certs to SHA-2 encryption.
Answer by Eric E. ·
Here is the solution that seems to work for Windows Collectors:
I will need to get feedback from my client about using the 6.2 version of the URL plugin for all monitors, but this workaround seems sufficient.