New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


On sensors monitoring sites that only support TLS 1.1 and Newer

Votes:

0

Your Vote:

Up

Down

Our servers have previously been "SSL hardened". SSL 2/3 has already been disabled, many other custom configs to make it as secure as possible. Here's a good example config that should be supported: https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

PRTG is happy monitoring our websites & certs.

We now want to make one more change: we want to disable TLS 1.0. A hold back previously was that some web clients, such as WinXP/IE8 don't support TLS 1.1, but this is no longer of concern to us. Another anomaly we encountered was RDP from Windows 7 didn't support TLS 1.1, but luckily MS has a patch for that.

Our testing has also uncovered that PRTG's HTTP sensors don't work when we disable TLS 1.0. Here is the outcomes of what's happening with the latest HTTP Advanced Sensor when monitoring a site that requires SSL

TLS1.0 ON @ target, with Alternative Monitoring engine: OK TLS1.0 ON @ target, with Default Monitoring Engine: Failed to establish secure connection [Step 0] Socket Error # 10054 Connection reset by peer. [Step 1] Socket Error # 10054 Connection reset by peer. [Step 2] Socket Error # 10054 Connection reset by peer. [Step 3] Socket Error # 10054 Connection reset by peer. [Step 4] Socket Error # 10054 Connection reset by peer. [Unsecure] IOHandler value is not valid TLS1.0 OFF @ target, with Alternative Monitoring engine: The underlying connection was closed: An unexpected error occurred on a send. TLS1.0 OFF @ target, with Default Monitoring Engine: Failed to establish secure connection [Step 0] Socket Error # 10054 Connection reset by peer. [Step 1] Socket Error # 10054 Connection reset by peer. [Step 2] Socket Error # 10054 Connection reset by peer. [Step 3] Socket Error # 10054 Connection reset by peer. [Step 4] Socket Error # 10054 Connection reset by peer. [Unsecure] IOHandler value is not valid

I've seen there is a thread of similar behavior with the SSL Cert Expiry sensor, but as that is being deprecated and HTTP Advanced is one of my clients (and mine) favorite sensors. A big list of websites that are all responding with a nice, green HTTP 200 makes everyone happy. So basically, this is a show stopper for disabling TLS 1.0 for the moment.

http://kb.paessler.com/en/topic/63022-http-ssl-certificate-expiry-does-not-support-tls-1-1-or-1-2 - This is just over a year ago, and I say I'm proud of them for wanting to disable TLS 1.0 back then. It was improved like 10 years ago with TLS 1.1, now is the time we should all be working together to phase it out.

Paessler will be well served not to require devices to support this insecure transport in order to take advantage of all that is PRTG. I could write a story for any actor in this scenario, but the best ones should come from your CIO or security group.

http-sensor ssl tls

Created on Feb 3, 2016 6:17:51 AM by  Curtis Kayfish (70) 2 1



3 Replies

Votes:

0

Your Vote:

Up

Down

I talked to development about this. All we can say at this point is that it's on our Roadmap with no finalized ETA yet.

Kind regards.

Created on Feb 4, 2016 3:28:50 PM by  Erhard Mikulik [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Any updates on this topic? TLS 1.0 is really getting long in the tooth.

Created on Jun 23, 2017 9:18:24 AM by  Alexander Siegelin (0)



Votes:

0

Your Vote:

Up

Down

Hello Alexander,
thank you for your reply.

I've just tested this and can confirm that the following mentioned sensors will currently (17.2.31.2018) work in a "TLS 1.2 only environment":

If you have a website or deployment/use case where the result was different, please let me know.

Best Regards,
Luciano Lingnau [Paessler Support]

Created on Jun 23, 2017 10:42:11 AM by  Luciano Lingnau [Paessler Support]

Last change on Jun 23, 2017 10:42:22 AM by  Luciano Lingnau [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.