Comment on page

Transport Layer Security (TLS) Alerts

ThousandEyes HTTP server tests allow users to detect and alert on common Transport Layer Security (TLS) issues, including missing or expired certificates, unsupported TLS versions, and weak or specific cipher suites. This section covers how to access TLS session information, and how to configure alerts.
Certificate Chains
See Certificate Chain Basics for more information.
TLS Session Information
TLS session information is displayed in a slide-out panel accessible by clicking the Details link in the Response column in the Table view:
The panel displays the TLS version, cipher suite, certificate chain, and details about each certificate in the chain, as well as separate tabs for the HTTP request and response headers:
When a TLS error is detected, the Details link mentioned above is moved from the Response column to the Error column, and follows a summary description of the error found. The example image below shows that a certificate has expired:
When the Details link is clicked, the slide-out panel provides details of the error:
TLS Alert Rule Configuration
To configure an alert rule for TLS information:
1.Either open an existing HTTP server alert rule, or create a new one (see Creating and Editing Alert Rules for more information).
2.In the Alert Conditions section, open the drop-down menu, and select the desired condition:
Certificate
SSL Version
Cipher Suite
3.Set the condition values:
Alert Condition
Option
Description
Values
Certificate
expires within
Defines the number of days before certificate expiry the alert should trigger.
Number of days (default value is 30)
SSL Version
in
Sends an alert if the SSL version used is in the defined list. Multiple versions can be selected at once.
TLS 1.0
TLS 1.1
TLS 1.2
TLS 1.3
​
not in
Sends an alert if the SSL version used is not in the defined list. Multiple versions can be selected at once.
TLS 1.0
TLS 1.1
TLS 1.2
TLS 1.3
Cipher Suite
is weak
Triggers an alert if the cipher suite is considered weak/not recommended. See Recommended Cipher Suites below for more information.
N/A
​
not in
Triggers an alert for any cipher suites in a comma separated list.
Important: ThousandEyes uses the OpenSSL naming convention for cipher suites, which is different from the IANA naming convention.
See Recommended Cipher Suites for IANA-OpenSSL cipher suite name mappings.
4.Optional: Click the Plus icon and repeat steps two and three to configure additional TLS alert conditions.
5.Click Create New Alert Rule or Save Changes to save the alert rule.
The example below shows each of the TLS options configured:
Recommended Cipher Suites
The table below is a list of recommended cipher suites:
IANA Name
Open SSL Name
RFC
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
DHE-PSK-CHACHA20-POLY1305
​RFC7905​
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
ECDHE-PSK-CHACHA20-POLY1305
​RFC7905​
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
DHE-RSA-CHACHA20-POLY1305
​RFC7905​
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE-ECDSA-CHACHA20-POLY1305
​RFC7905​
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE-RSA-CHACHA20-POLY1305
​RFC7905​
TLS_DHE_PSK_WITH_AES_256_CCM
DHE-PSK-AES256-CCM
​RFC6655​
TLS_DHE_PSK_WITH_AES_128_CCM
DHE-PSK-AES128-CCM
​RFC6655​
TLS_DHE_RSA_WITH_AES_256_CCM
DHE-RSA-AES256-CCM
​RFC6655​
TLS_DHE_RSA_WITH_AES_128_CCM
DHE-RSA-AES128-CCM
​RFC6655​
TLS_DHE_RSA_WITH_AES_256_CCM_8
DHE-RSA-AES256-CCM8
​RFC6655​
TLS_DHE_RSA_WITH_AES_128_CCM_8
DHE-RSA-AES128-CCM8
​RFC6655​
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECDHE-RSA-AES256-GCM-SHA384
​RFC5289​
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ECDHE-RSA-AES128-GCM-SHA256
​RFC5289​
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
​RFC5289​
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
​RFC5289​
TLS_AES_128_CCM_SHA256
TLS_AES_128_CCM_SHA256
​RFC8446​
TLS_CHACHA20_POLY1305_SHA256
TLS_CHACHA20_POLY1305_SHA256
​RFC8446​
TLS_AES_256_GCM_SHA384
TLS_AES_256_GCM_SHA384
​RFC8446​
TLS_AES_128_GCM_SHA256
TLS_AES_128_GCM_SHA256
​RFC8446​
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
DHE-PSK-AES256-GCM-SHA384
​RFC5487​
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
DHE-PSK-AES128-GCM-SHA256
​RFC5487​
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
DHE-RSA-AES256-GCM-SHA384
​RFC5288​
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
DHE-RSA-AES128-GCM-SHA256
​RFC5288​
Troubleshooting
See Chain Validation Failure Scenarios for more information.
Caveats
If the target site uses HTTP/2 and issues at least one redirect, and the last request is to the same domain as the previous request, then the certificates will be lost.

Alert Condition	Option	Description	Values
Certificate	expires within	Defines the number of days before certificate expiry the alert should trigger.	Number of days (default value is 30)
SSL Version	in	Sends an alert if the SSL version used is in the defined list. Multiple versions can be selected at once.	TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
	not in	Sends an alert if the SSL version used is not in the defined list. Multiple versions can be selected at once.	TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3
Cipher Suite	is weak	Triggers an alert if the cipher suite is considered weak/not recommended. See Recommended Cipher Suites below for more information.	N/A
	not in	Triggers an alert for any cipher suites in a comma separated list. Important: ThousandEyes uses the OpenSSL naming convention for cipher suites, which is different from the IANA naming convention.	See Recommended Cipher Suites for IANA-OpenSSL cipher suite name mappings.

IANA Name	Open SSL Name	RFC
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256	DHE-PSK-CHACHA20-POLY1305	RFC7905
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256	ECDHE-PSK-CHACHA20-POLY1305	RFC7905
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256	DHE-RSA-CHACHA20-POLY1305	RFC7905
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	ECDHE-ECDSA-CHACHA20-POLY1305	RFC7905
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	ECDHE-RSA-CHACHA20-POLY1305	RFC7905
TLS_DHE_PSK_WITH_AES_256_CCM	DHE-PSK-AES256-CCM	RFC6655
TLS_DHE_PSK_WITH_AES_128_CCM	DHE-PSK-AES128-CCM	RFC6655
TLS_DHE_RSA_WITH_AES_256_CCM	DHE-RSA-AES256-CCM	RFC6655
TLS_DHE_RSA_WITH_AES_128_CCM	DHE-RSA-AES128-CCM	RFC6655
TLS_DHE_RSA_WITH_AES_256_CCM_8	DHE-RSA-AES256-CCM8	RFC6655
TLS_DHE_RSA_WITH_AES_128_CCM_8	DHE-RSA-AES128-CCM8	RFC6655
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	ECDHE-RSA-AES256-GCM-SHA384	RFC5289
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	ECDHE-RSA-AES128-GCM-SHA256	RFC5289
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	ECDHE-ECDSA-AES256-GCM-SHA384	RFC5289
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	ECDHE-ECDSA-AES128-GCM-SHA256	RFC5289
TLS_AES_128_CCM_SHA256	TLS_AES_128_CCM_SHA256	RFC8446
TLS_CHACHA20_POLY1305_SHA256	TLS_CHACHA20_POLY1305_SHA256	RFC8446
TLS_AES_256_GCM_SHA384	TLS_AES_256_GCM_SHA384	RFC8446
TLS_AES_128_GCM_SHA256	TLS_AES_128_GCM_SHA256	RFC8446
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384	DHE-PSK-AES256-GCM-SHA384	RFC5487
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256	DHE-PSK-AES128-GCM-SHA256	RFC5487
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384	DHE-RSA-AES256-GCM-SHA384	RFC5288
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256	DHE-RSA-AES128-GCM-SHA256	RFC5288

Dynamic Baselines

Alert Rules for Devices

Last modified 3mo ago