SSL Decryption for Resumed Session



Does ExtraHop support decryption for SSL Resumed sessions?


Yes, like the participating devices, a Discover appliance maintains a cache of session info so that it might decrypt a resumed session. Both approaches to resuming sessions–session IDs and tickets–are handled.


Any limitations at all? I’m running into an issue where we aren’t seeing decryption on the resumes, just want to rule everything out other than flow expiration.


The session cache is limited by default to 130K total sessions, but tunable. You could be pushing those bounds.

A support case is the probably way to dig in further.