One of the big reasons for our recent upgrade to RSA Netwitness 11.1 is the "sslKeys" capability described in the article Decoder: Decrypt Incoming Packets was a desire to have better visibility into email messages traversing our Netwitness Decoders.
I have followed the document, and see the keys installed using the listPems argument, however I do not see any decrypted information when reviewing the sessions on my NW server voa the Investigate tab.
I have manually performed decryption using a packet capture obtained from Netwitness, the key I installed, and Wireshark, and verified that the key works as expected to decrypt the TLS session key and then decrypt the packets. I have even verified that the TLS cipher being settled on between the endpoints is in the FIPS-compatible listing, and is compatible with private-key based decryption (though I also verified that doing manual decryption).
However, it doesn't appear that the packets are being decrypted as expected.
So I thought I'd ask, since the documentation doesn't explicitly state so; does Netwitness 11.1 support opportunistic SSL/TLS decryption? Specifically, as described for the SMTP protocol in RFC 3207 - SMTP Service Extension for Secure SMTP over Transport Layer Security?