SSL-related rcon commands

You can use the NAM Probe console rcon to check on the operation of the decryption mechanism.

The following SSL-related rcon commands are available:

SSLDECR CIPHERS

Command SSLDECR CIPHERS shows cipher suites detected during the decryption.

SSLDECR CIPHERS

Where the command option can be the following:

ssldecr ciphers all - option to list all available ciphers.

Output

The command outputs the shows cipher suites detected during the decryption with an option to list all available ciphers.

SSLDECR KEYS

Command SSLDECR KEYS shows SSL keys read by decryptor.

SSLDECR KEYS

Where the command option can be the following:

ssldecr keys reload - option to reload all private keys.

Output

The command outputs the shows keys read by decryptor with an option to force a reload of all private keys.

SSLDECR STATUS

Command SSLDECR STATUS gives the status information for the decryption engine and lists the statistics of the observed sessions. Internal decryptor diagnostics are also provided. You can use the command with the following options:

ssldecr status - Shows a status summary for all servers.

ssldecr status all - Shows the status details for each server.

ssldecr status [IP address:port number] - Shows the detailed status for the specified server.

Output

All of the information and statistics given by the command relate to the period of time since the last restart of the device.

The first section of the output gives status information for the decryption engine.

  • Note the SSL engine mode (native, auto, or thread) included in parentheses and statistics of how many private keys have been matched or failed to match.

The second section gives session statistics.

  • Note that there are no statistics for “partially decrypted session in progress” (sessions with some errors but for which decryption is still continuing). This is because as soon as there is an error, the decryption process is terminated and the session is counted as “finished”, even though the actual transfer of data may still continue and byte and packet statistics are still counted.
  • Note also the term “reused sessions”. This applies to sessions for which the server agrees to continue using an already established session key from earlier. This is referred to as a short handshake, as compared to a long handshake in which the entire process of establishing an SSL connection is started again.

SSLDECR LOGLEVEL

Command SSLDECR LOGLEVEL sets diagnostic tracing level to log SSL session history in /var/log/adlex/rtm.log.

SSLDECR LOGLEVEL level

Where level can be one of the following:

  • DISABLE - Turn off logging of SSL diagnostic information. No SSL diagnostic information is written to the log file.
  • ERROR - Log SSL diagnostic information only for sessions with errors.
  • ALL - Log SSL diagnostic information for all sessions.
  • EVENTS - Display detailed information about every event that will be logged.
    We do not recommend using the EVENTS option in a production environment. It generates large log files.

Output

The command outputs the new level of diagnostic logging of SSL information.