Under the “Server by Port” metric in FxM and under the APM appliance health sniffer details, you can see that there is some SSL error rate less then 100% and the only error message seen is “Invalid SSL key”.
If the key were truly invalid the error rate should be 100%
There is a known security flaw in TLS that has been around for awhile and has finally been addressed. The RFC that defines the issue and a fix was ratified Sept 15, 2015:
https://tools.ietf.org/html/rfc7627
The issue is known as the "Triple Handshake attack". The fix is requires adding a "Extended Master Secret and Session Hash"
It looks like browsers are now starting to support this Extended Master Secret.
Regretfully, it means FxM/APM fails to decrypt these HTTPS streams. An "Invalid Key" error is generated in these cases.
RESOLUTION(1):
This issue has been assigned Tracking ID FXM-811 and APMDATA-2167 for consideration in a future release.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center