AnsweredAssumed Answered

Can Netwitness sslKeys decrypt opportunistic TLS? (STARTTLS for SMTP)

Question asked by Maddox Mishou on Apr 24, 2018
Latest reply on Sep 5, 2018 by Scott Moore

One of the big reasons for our recent upgrade to RSA Netwitness 11.1 is the "sslKeys" capability described in the article Decoder: Decrypt Incoming Packets was a desire to have better visibility into email messages traversing our Netwitness Decoders. 

 

I have followed the document, and see the keys installed using the listPems argument, however I do not see any decrypted information when reviewing the sessions on my NW server voa the Investigate tab.

I have manually performed decryption using a packet capture obtained from Netwitness, the key I installed, and Wireshark, and verified that the key works as expected to decrypt the TLS session key and then decrypt the packets. I have even verified that the TLS cipher being settled on between the endpoints is in the FIPS-compatible listing, and is compatible with private-key based decryption (though I also verified that doing manual decryption).

 

However, it doesn't appear that the packets are being decrypted as expected.

 

So I thought I'd ask, since the documentation doesn't explicitly state so; does Netwitness 11.1 support opportunistic SSL/TLS decryption? Specifically, as described for the SMTP protocol in RFC 3207 - SMTP Service Extension for Secure SMTP over Transport Layer Security?

Outcomes