This article describes how to capture SSL master keys when running an nstrace on NetScaler

Background

From NetScaler 11.0-66+ and 11.1/12.0 (all builds), the "start nstrace" command has a new parameter, -capsslkeys, with which you can capture the SSL master keys for all SSL sessions. If the capsslkeys option is enabled, a file named nstrace.sslkeys is generated along with the packet trace and imported into Wireshark to decrypt the SSL traffic in the trace file.

Instructions

Capture nstrace from NetScaler CLI

Complete the following steps to capture SSL master keys when running an nstrace on NetScaler:

1. Disable session reuse before starting the nstrace capture. The SSL handshake will still need to be captured for SSL session keys (or private key) to decrypt the data. 

   Run the following command from NetScaler CLI:
   set ssl vserver <vserverName> -sessReuse DISABLED

2. Disable ECC curves (if possible) before starting the nstrace capture. The SSL session key file will be much larger depending on how often the key is updated with ECDHE (same for DHE) enabled. There are ways to workaround this afterwards by splitting the key file and/or trace but this will slow down processing/analysis later on. 
   Note: Remember to re-enable these features after the trace is completed. There could also be an impact depending on cipher suites used.  

   Run the following command from NetScaler CLI:
   unbind ssl vserver <vserverName> -eccCurveName <curve> - possible curve values P_256 / P_384 / P_224 / P_521

3. Run the following command to start the nstrace capture
   start nstrace -size 0 -capsslkeys ENABLE

4. After the data is captured stop the trace using the following command:
   stop nstrace

5. Download the trace file and SSL key files from /var/nstrace directory on NetScaler for analysis.

6. After the files are downloaded, you can open the files with Wireshark.

Capture nstrace from NetScaler GUI

1. Disable session reuse before starting the nstrace capture. The SSL handshake will still need to be captured for SSL session keys (or private key) to decrypt the data. 

   From the vserver configuration window edit the SSL parameters:

   
   Uncheck Enable Session Reuse.

   

2. Disable ECC curves (if possible) before starting the nstrace capture. The SSL session key file will be much larger depending on how often the key is updated with ECDHE (same for DHE) enabled. There are ways to workaround this afterwards by splitting the key file and/or trace but this will slow down processing/analysis later on. 
   Note: Remember to re-enable these features after the trace is completed. There could also be an impact depending on cipher suites used.  

   From the vserver configuration window select ECC Curves:

   

   Unbind the ECC Curves.

   

3. To start the nstrace, navigate to System > Diagnostics. From the Diagnostics menu select Start new trace.

   

4. From the Start Trace window, change the Packet Size to 0. Then check Capture SSL Master Keys.

   

5. Acknowledge the warning message:

   

6. After the data is captured stop the trace using the Stop button.

7. Download the trace file and SSL key files from /var/nstrace directory on NetScaler for analysis.

   

   After the files are downloaded, you can open the files with Wireshark.

Open nstrace Files with Wireshark

1. Open the nstrace file using Wireshark version above 1.0.
2. Go to Edit > Preferences > Protocols > SSL (TLS from Wireshark 2.x) > Browse Pre master Secret Log Filename and add the SSL key file. 

   

3. Click OK.
4. Verify if decryption is successful. 

CTX128655 - How to Record Network Packet Trace on NetScaler Appliance
Citrix Documentation - nstrace Command Reference
CTX205282 - How Do I Configure Perfect Forward Secrecy (PFS) on NetScaler?