Use the Global > Advanced > SSL Options screen to set advanced SSL options on AMD Classic 12.4.x.
These settings apply only to AMD Classic 12.4.x, not to later AMD/NAM Probe releases.
You can define new alert codes, change predefined common SSL alert codes, and decide which alert codes should be taken into account when calculating the failures (transport) metric.
By default, the most commonly used alert codes are already defined and divided into three groups:
- SSL Alerts A
10, 20, 21, 22, 30, 40, 49, 50, 51, 60, 70, 71, 110
This group is shown on NAM reports as SSL Error 1, named SSL session fatal error by default.
- SSL Alerts B
41, 42, 43, 44, 45, 46, 48, 111, 112, 113, 114, 115
This group is shown on NAM reports as SSL Error 2., named SSL handshake fatal error by default.
- SSL Alerts N
All alerts not in group A or B. This group is shown on NAM reports as Other SSL Errors, named SSL warnings by default.
Using advanced options
Use the SSL Failures table to indicate the codes that should be reported as failures (transport).
Select the Report server name from SSL certificate check box to enable the NAM Probe to extract the names from SSL certificates.
These names are included with the monitored data along with the SSL setup time, protocol, and cipher.
Right-click and select Add or Delete to add or delete the SSL alert codes in the SSL Failures table. You can also choose the source of alert code to trigger an SSL failure (server, client, or both).
If the NAM Probe is connected to CAS, SSL errors can be given customized names on the report server side. For more information, see Defining SSL error names.
SSL alerts the AMD can recognize
|SSL alert name||SSL alert code||Description|
|close_notify||0||Notifies the recipient that the sender will not send any more messages on this connection.|
|unexpected_message||10||Received an inappropriate message This alert should never be observed in communication between proper implementations. Fatal.|
|bad_record_mac||20||Received a record with an incorrect MAC. Fatal.|
|decryption_failed||21||Decryption of a TLSCiphertext record is decrypted in an invalid way: either it was not an even multiple of the block length or its padding values, when checked, were not correct. Fatal.|
|record_overflow||22||Received a TLSCiphertext record which had a length more than 2^14+2048 bytes, or a record decrypted to a TLSCompressed record with more than 2^14+1024 bytes. Fatal.|
|decompression_failure||30||Received improper input, such as data that would expand to excessive length, from the decompression function. Fatal.|
|handshake_failure||40||Indicates that the sender was unable to negotiate an acceptable set of security parameters given the options available. Fatal.|
|no_certificate_RESERVED||41||Sent by a client to indicate that the client does not have a proper certificate to fulfill a certificate request from the server. This alert description is no longer used by TLS (now the client sets an empty certificate message if the client does not have a proper certificate).|
|bad_certificate||42||There is a problem with the certificate, for example, a certificate is corrupt, or a certificate contains signatures that cannot be verified.|
|unsupported_certificate||43||Received an unsupported certificate type.|
|certificate_revoked||44||Received a certificate that was revoked by its signer.|
|certificate_expired||45||Received a certificate has expired or is not currently valid.|
|certificate_unknown||46||An unspecified issue took place while processing the certificate that made it unacceptable.|
|illegal_parameter||47||Violated security parameters, such as a field in the handshake was out of range or inconsistent with other fields. Fatal.|
|unknown_ca||48||Received a valid certificate chain or partial chain, but the certificate was not accepted because the CA certificate could not be located or could not be matched with a known, trusted CA. Fatal.|
|access_denied||49||Received a valid certificate, but when access control was applied, the sender did not proceed with negotiation. Fatal.|
|decode_error||50||A message could not be decoded because some field was out of the specified range or the length of the message was incorrect. Fatal.|
|decrypt_error||51||Failed handshake cryptographic operation, including being unable to correctly verify a signature, decrypt a key exchange, or validate a finished message.|
|export_restriction||60||Detected a negotiation that was not in compliance with export restrictions; for example, attempting to transfer a 1024 bit ephemeral RSA key for the RSA_EXPORThandshake method. Fatal.|
|protocol_version||70||The protocol version the client attempted to negotiate is recognized, but not supported. For example, old protocol versions might be avoided for security reasons. Fatal.|
|insufficient_security||71||Failed negotiation specifically because the server requires ciphers more secure than those supported by the client. Returned instead of handshake_failure. Fatal.|
|internal_error||80||An internal error unrelated to the peer or the correctness of the protocol makes it impossible to continue, such as a memory allocation failure. The error is not related to protocol. Fatal.|
|user_canceled||90||Cancelled handshake for a reason that is unrelated to a protocol failure. If the user cancels an operation after the handshake is complete, just closing the connection by sending a close_notify is more appropriate. This alert should be followed by a close_notify. Generally a warning.|
|no_renegotiation||100||Sent by the client in response to a hello request or sent by the server in response to a client hello after initial handshaking. Either of these would normally lead to renegotiation; when that is not appropriate, the recipient should respond with this alert; at that point, the original requester can decide whether to proceed with the connection. One case where this would be appropriate would be where a server has spawned a process to satisfy a request; the process might receive security parameters (key length, authentication, and so on) at start-up and it might be difficult to communicate changes to these parameters after that point. Always a warning.|
|unsupported_extension||110||Sent by the client if the ServerHello does contain an extension that the client did not requested in his ClientHello. Fatal.|
|certificate_unobtainable||111||Sent by the server to indicate that the server cannot obtain a certificate from the URL the client has sent within a ClientCertificateURL extension. Possibly fatal.|
|unrecognized_name||112||Sent by the server if the server does not recognize a server name included in the ServerNameList extension received from the client. Possibly fatal.|
|bad_certificate_status_response||113||Sent by the client if the client gets an invalid certificate status response after having sent a CertificateStatusRequest extension. Fatal.|
|bad_certificate_hash_value||114||Sent by the server if a certificate hash value does not match to the corresponding value received within a ClientCertificateURL extension message, Fatal|
|unknown_PSK_identity||115||Indicates that the server does not recognize the PSK identify sent by the client. Fatal|