No SSL/TLS session key receiver service in EDA version 7.4.0 or 7.5.0

decryption

#1

More and more customer websites use PFS (TLSv1.1, TLSv1.2 or even TLSv1.3) dynamic encryption technology to connect with clients. To show the customer about the ExtraHop EDA is to support this decryption data function, how can I do it?
By the way, I’m using the trial license key and the deployed version is 7.4.0 or 7.5.0, but the session key receiver option is not displayed in the service option, but there has SSL decryption from the License Administration (Features). Is the SSL decryption referred to here and the SSL decryption mentioned by pfs-linux-install.pdf different?


#2

Hi, @chihching. I believe you will need a license adjustment in order to see the key receiver service control. ExtraHop Support should be able to assist you on next steps.

support@extrahop.com
877-333-9872 (US)
+44 (0) 125 627 4332 (EMEA)
+65-3163-5541 (APAC)


#3

Hi @shaundavid. Yes, to fix this issue after enable ’ ssl_session_secrets’ this feature. There has increase secrets in SSL Shared Secrets tag. Unfortunately, there is no any Decrypted sessions information in AdminUI. Do you have any suggestion?


#4

Good to hear, @chihching.

At a very high level, I would ensure that the traffic for sessions you’re expecting to be decrypted is actually making it to the EDA capture ports. Is there evidence in the EDA’s SSL Session metrics that the key forwarder endpoint traffic is present in the EDA’s feed?

After that, depending on the firmware version you’re running, you may actually need the certificate and private key uploaded to the EDA. Version 7.5 introduces a checkbox in the Admin UI to not require uploading the private key and certificate, but in 7.4 and before, private keys and certificates are required, even when the session keys themselves are being forwarded by the key forwarder.

Those are two quick ideas where things may be not be fully connected. If neither addresses the issue, you may want to reach out to ExtraHop Support for additional assistance.


#5

To get mine to work we had to set a global protocol mapping. So we set http and 443 in the global port mapping and it all seems to work fine now.

image


#6

here is all of our settings.


#7

Hi @mitchroberson, many thanks your helpful suggests. Yes, it’s successfully that EDA can receive ‘secrets’ sent by HTTPS WEB server. I’d change Global Protocol Port Mapping ‘http -> 0’ to ‘http -> 443’. Could yo please tell me why narrow down tcp port range then it works.
BG
ChihChing


#8

I am guessing here. but this is normal for most capture type devices they have to be told what port to decrypt otherwise it would be eating up a lot of resources checking stuff it does not need to.
But this is an assumption on my part.