You can use the NAM Probe console
rcon to check on the operation of the decryption mechanism.
The following SSL-related
rcon commands are available:
SSLDECR CIPHERS shows cipher suites detected during the decryption.
Where the command option can be the following:
ssldecr ciphers all - option to list all available ciphers.
The command outputs the shows cipher suites detected during the decryption with an option to list all available ciphers.
>$ ssldecr ciphers SSL cipher-suites status: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 id=0xc02f keyx=ECDHE sign=RSA enc=aes-128-gcm dig=SHA256 lib-supp=Y ref=25176 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 id=0xc028 keyx=ECDHE sign=RSA enc=AES-256-CBC dig=SHA384 lib-supp=N ref=4 ... - TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA id=0x0088 keyx=DH sign=RSA enc=CAMELLIA-256-CBC dig=SHA lib-supp=Y ref=21 - TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA id=0x0089 keyx=DH sign=anon enc=CAMELLIA-256-CBC dig=SHA lib-supp=Y ref=119 Ignored cipher-suites: c009 ref=4 ebd3 ref=0 ... 1004 ref=0 0804 ref=1
SSLDECR KEYS shows SSL keys read by decryptor.
Where the command option can be the following:
ssldecr keys reload - option to reload all private keys.
The command outputs the shows keys read by decryptor with an option to force a reload of all private keys.
>$ ssldecr keys Configuration of SSL private keys: <key: wily-sms-2015.pem, type: file, size: 2048, status: OK (matched)> <key: server.key, type: file, size: 1024, status: OK (read)> ... <key: exchange_test_export_cert.pem, type: file, size: 2048, status: OK (read)> <key: s01.key, type: file, size: 1024, status: OK (read)> Keys total: 67, ok: 67, failed: 0, matched: 14 >$
SSLDECR STATUS gives the status information for the decryption engine and lists the statistics of the observed sessions. Internal decryptor diagnostics are also provided. You can use the command with the following options:
ssldecr status - Shows a status summary for all servers.
ssldecr status all - Shows the status details for each server.
ssldecr status [IP address:port number] - Shows the detailed status for the specified server.
All of the information and statistics given by the command relate to the period of time since the last restart of the device.
The first section of the output gives status information for the decryption engine.
- Note the SSL engine mode (native, auto, or thread) included in parentheses and statistics of how many private keys have been matched or failed to match.
The second section gives session statistics.
- Note that there are no statistics for “partially decrypted session in progress” (sessions with some errors but for which decryption is still continuing). This is because as soon as there is an error, the decryption process is terminated and the session is counted as “finished”, even though the actual transfer of data may still continue and byte and packet statistics are still counted.
- Note also the term “reused sessions”. This applies to sessions for which the server agrees to continue using an already established session key from earlier. This is referred to as a short handshake, as compared to a long handshake in which the entire process of establishing an SSL connection is started again.
>$ ssldecr status SSL DECRYPTION STATUS: CONFIGURATION: Engine:openssl(native) status:OK Keys recognized=65 not recognized=0 Engine states: blocked=0, initializations=1 SESSIONS: Total number of sessions=363631 (inProgress=3967 Finished=359664) SSL protocol version breakdown per number of sessions: supported versions: ssl3.0=133090 tls1.0=150188 tls1.1=399 tls1.2=338 unsupported versions: ssl2.0=25 other versions=0 no version info=78677 Long handshakes=39980 Short handshakes=244214 Compressed sessions=0 SessionTkt reused=0 SessionId reused=241292 Finished sessions decrypted with no errors=242548 (67% of all finished sessions) Finished sessions decrypted partially=2228 (0% of all finished sessions) with a packet lost during payload data exchange=1489 with a corrupted payload data packet=2 with decryption failed during payload data exchange=0 terminated by alert during payload data exchange=737 Finished sessions not decrypted=114267 with no private key found=389 (new sessions=167 reused sessions=222) with a corrupted handshake packet or incorrect handshake sequence=1087 (new sessions=1087 reused sessions=0) with decryption broken during handshake=0 (new sessions=0 reused sessions=0) with unsupported SSL version=25 (ssl2.0=25 otherVersions=0) with unsupported SSL feature=475 (unsupported cipher=20 server key exchange=455) with compression errors=0 (unsupported compression=0, cannot decompress control records=0 data records=0) with RSA decryption failed=0, RSA invocations blocked=0 (new sessions=0 reused sessions=0) reused sessions with no matching master session seen before=30915 with incomplete SSL handshake=2728 (new sessions=2728 reused sessions=0) closed without data=8007 with invalid 'Hello' packet client=0, server=3 terminated by alert during handshake=30 reuse errors when PMS identified with session id=28707, with session ticket=0 session not seen from the beginning=70239 with other errors=7 Supplemental Data detected, server=0 client=0 Cipher suite diagnostic: Well know cipher-suites: * TLS_RSA_EXP_RSA_WITH_RC4_128_MD5 ref=459 + TLS_RSA_WITH_RC4_128_MD5 ref=277381 + TLS_RSA_WITH_RC4_128_SHA ref=6226 + TLS_RSA_WITH_DES_CBC_SHA ref=40 + TLS_RSA_WITH_3DES_EDE_CBC_SHA ref=40 - TLS_DH_RSA_WITH_DES_CBC_SHA ref=20 + TLS_RSA_WITH_AES_128_CBC_SHA ref=28 Unknown cipher-suites: Supported extensions: Unknown extensions: ID=65281 ref=5805 PMS CACHE INTERNAL DIAGNOSTICS: entries added (a=)80510 (asInitialized=13679 asUninitialized= 8730 withErrorCode=58101) entries changed (c=)101367 (toInitialized=25509 toUninitialized=0 toError=75858) entries deleted (d=)52445 total entries in cache (n=)28065
SSLDECR LOGLEVEL sets diagnostic tracing level to log SSL session history in
SSLDECR LOGLEVEL level
level can be one of the following:
DISABLE- Turn off logging of SSL diagnostic information. No SSL diagnostic information is written to the log file.
ERROR- Log SSL diagnostic information only for sessions with errors.
ALL- Log SSL diagnostic information for all sessions.
EVENTS- Display detailed information about every event that will be logged.
We do not recommend using the EVENTS option in a production environment. It generates large log files.
The command outputs the new level of diagnostic logging of SSL information.
>$ SSLDECR LOGLEVEL STATUS SSL log turned on for all sessions >$ SSLDECR LOGLEVEL DISABLE SSL log turned off >$ SSLDECR LOGLEVEL STATUS SSL log turned off >$ SSLDECR LOGLEVEL ERROR SSL log turned on for sessions with errors >$ SSLDECR LOGLEVEL STATUS SSL log turned on for sessions with errors >$ SSLDECR LOGLEVEL ALL SSL log turned on for all sessions >$ SSLDECR LOGLEVEL EVENTS SSL log turned on for all sessions