Record the network trace of the traffic that needs to be observed. To export and use SSL session keys to decrypt SSL traces without sharing the SSL private key, complete the following procedure: It is HIGHLY RECOMMENDED that you use this method vs SSLPLAIN if the option is available on your version/build. If you use this functionality, the NetScaler will export the keys for you, and you can skip the rest of this document. To do this, select the "Capture SSL Master Keys" checkbox. On later builds of 11.0 and beyond, you can instruct the NetScaler to export ssl session keys directly. The following is the command to enable decrypted SSL packets during nstrace:įor more information refer to the following articles - How to take trace from Command Line Interface for NetScaler 11.0. Note: If you are on a build that has the option to "Capture SSL Master Keys," (see below) use that method rather than SSPLAIN, which is now deprecated on newer builds.
This option is available as a check-box that you can select from the NetScaler GUI. This feature is called Decrypted SSL packets (SSLPLAIN). On earlier versions of NetScaler 11.0 you can decrypt the trace on the fly there is no need for private keys. For detailed steps refer to the Additional Resources section of this article. In NetScaler software release 10.5 and later, to decrypt the capture, ensure that ECC (Elliptic Curve Cryptography) and DH Param are disabled/removed from the virtual server before the trace is captured. If we are troubleshooting Load balancing vserver or Content switching vserver related setup then it should be disabled at the VIP as well as the Service/Service Group level as well. In order to properly decrypt the trace, SSL Session Reuse must be disabled at vserver level (If it is a gateway vserver related troubleshooting) to ensure that we see a full SSL handshake in the nstrace captured.
0 kommentar(er)
