# Transport Layer Security (TLS) Alerts ThousandEyes HTTP server tests allow users to detect and alert on common Transport Layer Security (TLS) issues, including missing or expired certificates, unsupported TLS versions, and weak or specific cipher suites. This section covers how to access TLS session information, and how to configure alerts. ## Certificate Chains See [Certificate Chain Basics](https://docs.thousandeyes.com/product-documentation/internet-and-wan-monitoring/troubleshooting/http-server-test-fails-with-ssl-error#certificate-chain-basics) for more information. ## TLS Session Information TLS session information is displayed in a slide-out panel accessible by clicking the **Details** link in the **Response** column in the **Table** view: The panel displays the TLS version, cipher suite, certificate chain, and details about each certificate in the chain, as well as separate tabs for the HTTP request and response headers: When a TLS error is detected, the **Details** link mentioned above is moved from the **Response** column to the **Error** column, and follows a summary description of the error found. The example image below shows that a certificate has expired: When the **Details** link is clicked, the slide-out panel provides details of the error: ## TLS Alert Rule Configuration To configure an alert rule for TLS information: 1. Either open an existing HTTP server alert rule, or create a new one (see [Creating and Editing Alert Rules](https://docs.thousandeyes.com/product-documentation/alerts/creating-and-editing-alert-rules) for more information). 2. In the **Alert Conditions** section, open the drop-down menu, and select the desired condition: * Certificate * SSL Version * Cipher Suite 3. Set the condition values: | Alert Condition | Option | Description | Values | | --------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- | | Certificate | expires within | Defines the number of days before certificate expiry the alert should trigger. | Number of days (default value is 30) | | SSL Version | in | Sends an alert if the SSL version used is in the defined list. Multiple versions can be selected at once. | | | | not in | Sends an alert if the SSL version used is not in the defined list. Multiple versions can be selected at once. | | | Cipher Suite | is weak | Triggers an alert if the cipher suite is considered weak/not recommended. See [Recommended Cipher Suites](#recommended-cipher-suites) below for more information. | N/A | | | not in |

Triggers an alert for any cipher suites in a comma separated list.

Important: ThousandEyes uses the OpenSSL naming convention for cipher suites, which is different from the IANA naming convention.

| See [Recommended Cipher Suites](#recommended-cipher-suites) for IANA-OpenSSL cipher suite name mappings. | 4. **Optional:** Click the **Plus** icon and repeat steps two and three to configure additional TLS alert conditions. 5. Click **Create New Alert Rule** or **Save Changes** to save the alert rule. The example below shows each of the TLS options configured: ### Recommended Cipher Suites The table below is a list of recommended cipher suites: | IANA Name | Open SSL Name | RFC | | --------------------------------------------------- | ------------------------------- | ------------------------------------------ | | TLS\_DHE\_PSK\_WITH\_CHACHA20\_POLY1305\_SHA256 | DHE-PSK-CHACHA20-POLY1305 | [RFC7905](https://www.iana.org/go/rfc7905) | | TLS\_ECDHE\_PSK\_WITH\_CHACHA20\_POLY1305\_SHA256 | ECDHE-PSK-CHACHA20-POLY1305 | [RFC7905](https://www.iana.org/go/rfc7905) | | TLS\_DHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256 | DHE-RSA-CHACHA20-POLY1305 | [RFC7905](https://www.iana.org/go/rfc7905) | | TLS\_ECDHE\_ECDSA\_WITH\_CHACHA20\_POLY1305\_SHA256 | ECDHE-ECDSA-CHACHA20-POLY1305 | [RFC7905](https://www.iana.org/go/rfc7905) | | TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256 | ECDHE-RSA-CHACHA20-POLY1305 | [RFC7905](https://www.iana.org/go/rfc7905) | | TLS\_DHE\_PSK\_WITH\_AES\_256\_CCM | DHE-PSK-AES256-CCM | [RFC6655](https://www.iana.org/go/rfc6655) | | TLS\_DHE\_PSK\_WITH\_AES\_128\_CCM | DHE-PSK-AES128-CCM | [RFC6655](https://www.iana.org/go/rfc6655) | | TLS\_DHE\_RSA\_WITH\_AES\_256\_CCM | DHE-RSA-AES256-CCM | [RFC6655](https://www.iana.org/go/rfc6655) | | TLS\_DHE\_RSA\_WITH\_AES\_128\_CCM | DHE-RSA-AES128-CCM | [RFC6655](https://www.iana.org/go/rfc6655) | | TLS\_DHE\_RSA\_WITH\_AES\_256\_CCM\_8 | DHE-RSA-AES256-CCM8 | [RFC6655](https://www.iana.org/go/rfc6655) | | TLS\_DHE\_RSA\_WITH\_AES\_128\_CCM\_8 | DHE-RSA-AES128-CCM8 | [RFC6655](https://www.iana.org/go/rfc6655) | | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | ECDHE-RSA-AES256-GCM-SHA384 | [RFC5289](https://www.iana.org/go/rfc5289) | | TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | ECDHE-RSA-AES128-GCM-SHA256 | [RFC5289](https://www.iana.org/go/rfc5289) | | TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 | ECDHE-ECDSA-AES256-GCM-SHA384 | [RFC5289](https://www.iana.org/go/rfc5289) | | TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 | ECDHE-ECDSA-AES128-GCM-SHA256 | [RFC5289](https://www.iana.org/go/rfc5289) | | TLS\_AES\_128\_CCM\_SHA256 | TLS\_AES\_128\_CCM\_SHA256 | [RFC8446](https://www.iana.org/go/rfc8446) | | TLS\_CHACHA20\_POLY1305\_SHA256 | TLS\_CHACHA20\_POLY1305\_SHA256 | [RFC8446](https://www.iana.org/go/rfc8446) | | TLS\_AES\_256\_GCM\_SHA384 | TLS\_AES\_256\_GCM\_SHA384 | [RFC8446](https://www.iana.org/go/rfc8446) | | TLS\_AES\_128\_GCM\_SHA256 | TLS\_AES\_128\_GCM\_SHA256 | [RFC8446](https://www.iana.org/go/rfc8446) | | TLS\_DHE\_PSK\_WITH\_AES\_256\_GCM\_SHA384 | DHE-PSK-AES256-GCM-SHA384 | [RFC5487](https://www.iana.org/go/rfc5487) | | TLS\_DHE\_PSK\_WITH\_AES\_128\_GCM\_SHA256 | DHE-PSK-AES128-GCM-SHA256 | [RFC5487](https://www.iana.org/go/rfc5487) | | TLS\_DHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | DHE-RSA-AES256-GCM-SHA384 | [RFC5288](https://www.iana.org/go/rfc5288) | | TLS\_DHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | DHE-RSA-AES128-GCM-SHA256 | [RFC5288](https://www.iana.org/go/rfc5288) | ## Troubleshooting See [Chain Validation Failure Scenarios](https://docs.thousandeyes.com/product-documentation/internet-and-wan-monitoring/troubleshooting/http-server-test-fails-with-ssl-error#chain-validation-failure-scenarios) for more information. ## Caveats * If the target site uses HTTP/2 and issues at least one redirect, and the last request is to the same domain as the previous request, then the certificates will be lost.