The TIM is showing SSL decode failures for TLS 1.x traffic which has the "Extended Master Secret" TLS extension enabled. Research shows:
- In the timlog.txt file the message “Block size greater than Plaintext!" is visible
- When review corresponding pcap for the SSL handshake in Wireshark both "Client Hello" and "Server Hello" contain the extension reference for "Extended Master Secret", which confirms that "Extended Master Secret" will be used for the handshake. For details see IETF reference: "Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension" -> "5.2. Client and Server Behavior: Full Handshake"
The TIM does not support the Extended Master Secret (EMS) extension. Typical implementations are:
1. Microsoft IIS web servers are being used and a Microsoft security update 3081320 has been applied which enables the Extended Master Secret extension for all TLS versions: Microsoft Security Bulletin MS15-121 - Important > Security Update for Schannel to Address Spoofing (3081320)
2. An F5 Load Balancer is being used which has Extended Master Secret enabled.
To workaround the problem Extended Master Secret needs to be disabled:
1. The security update 3081320 needs to be uninstalled or disabled via a registry update: MS15-121: Security update for Schannel to address spoofing: November 10, 2015
2. Disable Extended Master Secret on the F5 Load Balancer: AskF5 Home > K66202244 > K66202244: Support for RFC 7627 extended master secret extension
A new platform is being developed for the TIM which will be more flexible and will allow the option of receiving unencrypted data directly from the web servers via a plugin extension. The first release will be tentatively available at end of calendar year 2017.