AnsweredAssumed Answered

SSL investigation in SA

Question asked by RSA Admin Employee on Oct 22, 2014
Latest reply on Dec 8, 2014 by RSA Admin

Hello! I am struggling with SSL investigation in SA and NW Investigator client.

I have a public/private key pair from web server and a pcap which contains https traffic. I can decrypt the ssl encrypted payload in Wireshark without any problems with my rsa private key.

There is no option to decrypt SSL with private key in SA web GUI. But there is an NW Investigator which can connect to SA or process pcap. There is an option in the Investigator client to automatically decrypt ssl with rsa key. But after providing the same pcap and key it just displays the same encrypted payload - it doesn't decrypt it (I also can't get it to work remotely with my SA 10.3 hybrid but that's another story).

 

How do you inspect your ssl traffic with SA? Please do not propose Bluecoat, A10, Netronome and other $$$ solutions

I believe that ssl inspection is quite a relevant topic as most of the malware is using ssl.

 

PS. I can provide the pcap and keypair or screens if anyone is interested.

Outcomes