SSL Decryption
Decryption keys allow AppResponse 11 to develop and display performance metrics for SSL-encrypted data streams. An administrator at an endpoint of the encrypted data connection gives an AppResponse 11 administrator a PEM-formatted private key and, if necessary, a password or passphrase. The AppResponse 11 administrator places the private key into the Administration > General Traffic Settings: SSL Decryption Keys page and, if necessary, enters the password or passphrase. AppResponse 11 uses this to monitor the encrypted data for measuring packet statistics and obtaining information from packet headers.
Packets are decrypted “on the fly” as needed for Insights. You cannot store, dump or export decrypted packets. Decrypted packets or data cannot be exported to Wireshark, NetProfiler or other devices or applications outside the appliance.
AppResponse 11 decrypts RSA key exchange based ciphers only. It does not decrypt Diffie-Hellman key exchange based ciphers.
Installed Keys Tab
To add a private key for SSL decryption
1. Go to Administration > General Traffic Settings: SSL Decryption Keys to open the SSL Decryption Keys page.
2. Choose Add to open the Add New SSL Decryption Key dialog.
3. Enter the name and description as you want it to appear on the SSL Decryption Keys page.
4. Copy the private key, including the BEGIN and END statements. The private key must be in PEM format, which appears similar to this:
-----BEGIN RSA PRIVATE KEY-----
MIIAsTCCARqgAwIBAgIJAOqvgxZRcO+ZMA0GCSqGSIb3DQEBBAUAMA8xDTALBgNVBAMTBE1henUwHhcNMDYxMDAyMTY0MzQxWhcNMTY
...
ehyejGdw6VhXpf4lP9Q8JfVERjCoroVkiXenVQe/zer7Qf2hiDB/5s02/+8uiEeqMJpzsSdEYZUSgpyAcws5PDyr2GVFMI3dfPnl28hVavIkR8r05BP
-----END RSA PRIVATE KEY-----
DER format is not supported.
5. If required, enter the password or passphrase.
6. Choose Save to exit from this page and view the entry for the key on the SSL Decryption Keys page.
For AppResponse 11 to use the private key to decrypt data, SSL Decoding must be enabled on the Administration > Web Page Analysis page, in the Data Collection Options tab.
To delete a private key, either hover over the entry in the table and choose the delete (x) icon, or else select the check box at the beginning of the row and choose Delete near the top of the page.
Certificates With Installed Keys Tab
This tab shows the details for each certificate that matches the installed private keys. The details are the same we show in the “missing” tab.
Certificates With Missing Keys Tab
This tab lists streams for which encryption keys are not currently installed. Click Ignore to add a stream to the list of keys that should be ignored. Click Delete to remove a certificate from the database explicitly.
Ignored Keys Tab
This tab lists streams for which encryption keys are not currently installed, and are disregarded. Click Unignore to move a stream to the Certificates With Missing Keys tab. Click Delete to remove a certificate from the database explicitly.
PFS Tab
When communicating with systems using Perfect Forward Secrecy (PFS) for encryption, the AppResponse 11 system will need to buffer packets until it has received and accepted the unique Diffie-Hellman master secret to be used for the session. Select the Enable buffering for PFS decryption option in the PFS tab to activate this buffering.
SSL Ciphers Supported For Decryption
The following SSL ciphers are supported for decoding:
Cipher Suite (OpenSSL) | Name |
SSL_RSA_WITH_NULL_MD5 | NULL-MD5 |
SSL_RSA_WITH_NULL_SHA | NULL-SHA |
SSL_RSA_WITH_RC4_128_MD5 | RC4-MD5 |
SSL_RSA_WITH_RC4_128_SHA | RC4-SHA |
SSL_RSA_WITH_IDEA_CBC_SHA | IDEA-CBC-SHA |
SSL_RSA_WITH_DES_CBC_SHA | DES-CBC-SHA |
SSL_RSA_WITH_3DES_EDE_CBC_SHA | DES-CBC3-SHA |
TLS_RSA_WITH_NULL_MD5 | NULL-MD5 |
TLS_RSA_WITH_NULL_SHA | NULL-SHA |
TLS_RSA_WITH_RC4_128_MD5 | RC4-MD5 |
TLS_RSA_WITH_RC4_128_SHA | RC4-SHA |
TLS_RSA_WITH_IDEA_CBC_SHA | IDEA-CBC-SHA |
TLS_RSA_WITH_DES_CBC_SHA | DES-CBC-SHA |
TLS_RSA_WITH_3DES_EDE_CBC_SHA | DES-CBC3-SHA |
TLS_RSA_WITH_AES_128_CBC_SHA | AES128-SHA |
TLS_RSA_WITH_AES_256_CBC_SHA | AES256-SHA |
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA | CAMELLIA128-SHA |
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA | CAMELLIA256-SHA |
TLS_RSA_WITH_SEED_CBC_SHA | SEED-SHA |
TLS_RSA_WITH_NULL_SHA256 | NULL-SHA256 |
TLS_RSA_WITH_AES_128_CBC_SHA256 | AES128-SHA256 |
TLS_RSA_WITH_AES_256_CBC_SHA256 | AES256-SHA256 |
TLS_RSA_WITH_AES_128_GCM_SHA256 | AES128-GCM-SHA256 |
TLS_RSA_WITH_AES_256_GCM_SHA384 | AES256-GCM-SHA384 |