IBM Support

QRadar: TLS Syslog log sources fails with the following error: “SSLHandshakeException: no cipher suites in common”

Troubleshooting


Problem

Administrators who experience “SSLHandshakeException: no cipher suites in common” with TLS Syslog log sources can use this article to diagnose cipher issues and confirm handshakes are attempted to establish connections.

Symptom

TLS Syslog log sources display an error during SSL handshake fails with the exception “no cipher suites in common".

Cause

During a TLS handshake, the client and server together determine which cipher suites to use. The client initiates the handshake by sending a 'clienthello' message that includes the TLS version the client supports and the cipher suites supported by QRadar. The server replies with a 'serverhello' message containing items including the server's cipher suites that are in common. If there are “no cipher suites in common”, the handshake fails with an exception as a connection cannot be established.

Diagnosing The Problem

To investigate this issue, the cipher suites on the client and server side need to be investigated and confirmed. This technical note includes steps administrators can take to confirm the cipher suites used by QRadar to establish remote connections over TLS Syslog.

A. QRadar logs
When you enable a log source that is configured to use the TLS Syslog protocol, the TLS Syslog protocol initializes a thread for that log source and outputs the list of enabled cipher suites to the qradar.log file. Search the /var/log/qradar.log for the phrase“enabled cipher suites” to confirm the error.

Procedure

  1. Disable the TLS Syslog protocol log source in error
  2. Wait for the TLS Syslog protocol to shut down the log source's thread (2 - 5 minutes)
  3. Enable the TLS Syslog protocol log source
  4. Log in to the CLI of the target collector for the log source that uses the TLS Syslog protocol
  5. Run the following command to search the qradar.log for the enabled cipher list: 
    grep -i “enabled cipher suites”  /var/log/qradar.log
    Example output of the list of cipher suites available: 
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-1763] com.q1labs.semsources.sources.tlssyslog.TLSServer:
[INFO] [NOT:0000006000] TLS Server listening on port [6514] initialized :: TLS protocols: 
[TLSv1.2] :: Enabled Cipher Suites: [SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, 
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, 
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256, 
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

    Results
    Copy the text or record the values to compare to the Java JDK. For more information, review the procedure in the section Java security file.

B. Java security file

The configuration that determines the enabled cipher suite list for TLS Syslog protocol is contained in the java.security file. The list is configured by disabling specific cipher suites with the jdk.tls.disabledAlgorithms parameter. Issuing the command in the CLI of the target collector of the log source that is configured to use the TLS Syslog protocol returns the list of excluded (disabled) cipher suites.

Procedure

  1. Use SSH to log in to the QRadar Console as the root user.
  2. Optional. Open an SSH session to appliance defined in the Target Event Collector field in the log source configuration.
  3. To confirm disabled algorithms, type the following command: 
    grep -i jdk.tls.disabledAlgorithms /opt/ibm/java-x86_64-80/jre/lib/security/java.security|grep -v "#"
    Example output of disabled algorithms in the Java JDK. 
    jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \

     

C. Packet traffic (PCAP)
Administrators can collect a packet capture (PCAP) of the traffic between between QRadar and the event source to investigate handshake issues. This information is useful to confirm handshakes are attempted between appliances and the ciphers being listed in the exchange.

Procedure

  1. Use SSH to log in to the QRadar Console as the root user.
  2. Optional. Open an SSH session to appliance defined in the Target Event Collector field in the log source configuration.
  3. To create a packet capture file, type the following command: 
    tcpdump -nnAs0 -w traffic.pcap -i any host <device_ip> and port <TLS_Port#>

    Results
    Review the PCAP output to verify the 'clienthello' message and 'serverhello' messages are being exchanged between QRadar and the event source appliance.

Resolving The Problem

After the "enabled" cipher suites are identified, there are three possible options to resolve the error:
  1. Adjust the TLS syslog configuration on the sending device to include a cipher that is included in the QRadar "enabled" cipher suites list.
  2. If the sending device requires a cipher from the "Unrestricted Java Ciphers", ensure the files are installed on your QRadar appliance. For more information, see Installing unrestricted SDK JCE policy files
  3. Contact the QRadar Support team for assistance with the error message.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
31 October 2022

UID

ibm16589845

Page Feedback