SSL Decryption for Resumed Session

ssl
decryption

#1

Does ExtraHop support decryption for SSL Resumed sessions?


#2

Yes, like the participating devices, a Discover appliance maintains a cache of session info so that it might decrypt a resumed session. Both approaches to resuming sessions–session IDs and tickets–are handled.


#3

Any limitations at all? I’m running into an issue where we aren’t seeing decryption on the resumes, just want to rule everything out other than flow expiration.


#4

The session cache is limited by default to 130K total sessions, but tunable. You could be pushing those bounds.

A support case is the probably way to dig in further.