How to Export and Use SSL Session Keys to Decrypt SSL Traces Without Sharing the SSL Private Key

How to Export and Use SSL Session Keys to Decrypt SSL Traces Without Sharing the SSL Private Key

book

Article ID: CTX135889

calendar_today

Updated On:

Description

This article describes how to export and use SSL session keys to decrypt SSL traces without sharing the SSL private key.

Instructions

Points to Note:

  • In order to properly decrypt the trace, SSL Session Reuse must be disabled at vserver level (If it is a gateway vserver related troubleshooting) to ensure that we see a full SSL handshake in the nstrace captured. If we are troubleshooting Load balancing vserver or Content switching vserver related setup then it should be disabled at the VIP as well as the Service/Service Group level as well.

  • In NetScaler software release 10.5 and later, to decrypt the capture, ensure that ECC (Elliptic Curve Cryptography) and DH Param are disabled/removed from the virtual server before the trace is captured. For detailed steps refer to the Additional Resources section of this article.

  • On earlier versions of NetScaler 11.0 you can decrypt the trace on the fly; there is no need for private keys. This feature is called Decrypted SSL packets (SSLPLAIN). This option is available as a check-box that you can select from the NetScaler GUI.
    Note:  If you are on a build that has the option to "Capture SSL Master Keys," (see below) use that method rather than SSPLAIN, which is now deprecated on newer builds.
    The following is the command to enable decrypted SSL packets during nstrace:
    start nstrace -mode SSLPLAIN
    For more information refer to the following articles - How to take trace from Command Line Interface for NetScaler 11.0 .

  • ​On later builds of 11.0 and beyond, you can instruct the NetScaler to export ssl session keys directly. To do this, select the "Capture SSL Master Keys" checkbox.  If you use this functionality, the NetScaler will export the keys for you, and you can skip the rest of this document.  It is HIGHLY RECOMMENDED that you use this method vs SSLPLAIN if the option is available on your version/build.

To export and use SSL session keys to decrypt SSL traces without sharing the SSL private key, complete the following procedure:

  1. Record the network trace of the traffic that needs to be observed.

    User-added image

  2. Open the trace in Wireshark.

    User-added image

  3. Select Edit > Preferences > Protocols > SSL > RSA Keys list > Edit, to decrypt the trace (using the private key) in Wireshark.

    User-added image

    The SSL traffic will be decrypted, if the correct Private Key, Server IP and Server Port are specified:

    User-added image

  4. Export the Session Keys to let a third-party have access to the data contained in the network trace, without sharing the Private Key.

  5. In Wireshark, select File > Export SSL Session Keys, and save the file.

    User-added image

    Note: You must now have a file with "RSA Session-ID: [string of characters] Master-Key: [string of characters]". This file can be used to decrypt the trace, in place of the private key.

  6. Open another Wireshark session, and attempt to use the Session keys to decrypt the same trace. In Wireshark, select Edit > Preferences > Protocols > SSL > (Pre)-Master-Secret log filename, and select the exported Session Keys.

    User-added image

    Note: You will now have visibility of the same decrypted traffic, without using the Private key directly.

    User-added image

Issue/Introduction

This article describes how to export and use SSL session keys to decrypt SSL traces without sharing the SSL private key.

Additional Information

Refer to the Wireshark Go deep web page for more information about the Wireshark utility.

Disable Session Reuse on Virtual Server from NetScaler GUI

  1. Open the virtual server and navigate to SSL Parameters.

  2. Disable Enable Session Reuse if enabled.

Disable Session Reuse on Virtual Server from NetScaler CLI

  1. SSH to the NetScaler.

  2. Run the following command to disable DH Param from the virtual server:
    set ssl vserver "vServer_Name" -sessReuse DISABLED

Disable DH Param on Virtual Server from NetScaler GUI

  1. Open the virtual server and navigate to SSL Parameters.

  2. Disable DH Param if enabled.

Disable ECC Curve on Virtual Server from NetScaler CLI

  1. SSH to the NetScaler.

  2. Run the following command to disable DH Param from the virtual server:
    set ssl vserver "vServer_Name" -dh DISABLED

Disable ECC Curve on Virtual Server from NetScaler GUI

  1. Open the virtual server and navigate to ECC Curve.

    User-added image

  2. If no ECC Curve is bound to the virtual server then no other action is required.

    User-added image

  3. If any ECC Curve is bound to the virtual server then click the ECC Curve and Unbind it from the virtual server.

    User-added image

Disable ECC Curve on Virtual Server from NetScaler CLI

  1. SSH to the NetScaler.

  2. Run the following command for each ECC Curve bound to the virtual server:
    unbind ssl vserver "vServer_Name" -eccCurveName "ECC_Curve_Name"

Powered by Wolken Software