cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Encrypted data exchanged operations in NAM

erenedo
Organizer

Hello,
We have an application with DHE algorithm. Customer has deleted key exchange algorithms but we continue watching operations "Encrypted data exchange". Is it normal? Shouldn´t we see these information decrypted?
On the other hand, the software services are using HTTPS analyzer. We are going to change it to SSL. Is it the cause? What is the difference between using HTTPS analyzer and SSL analyzer?

Regards,

Elena.


3 REPLIES 3

Krzysztof_Ziemi
Dynatrace Pro
Dynatrace Pro

You can check what types of SSL key exchanges are occurring by examining module names in CAS that show up next to "encrypted data exchange" operations. If DH has been indeed disabled, cipher names there shouldn't contain "DH" "DHE" "ECDHE" or similar strings, but they should contain "RSA" and alike.

RSA decryption requires server's SSL keys copied onto the AMD. If you have them, then decryption of the RSA ciphers should work - if traffic quality is good. If AMD is not receiving all packets in a clean manner, it wouldn't be able to decrypt. There should be no sequence gaps, incomplete sessions, heavy duplicates etc. Use AMD's icon to check decryption status.

When you use SSL analyzer, it monitors all SSL traffic and tells what ciphers were used, what was connection setup time, and then reports encrypted data exchange (because it doesn't decrypt). It doesn't need SSL keys from the server. HTTPS analyzer provides decryption, so it basically provides insight into the "encrypted data exchange". It needs server's SSL keys to do it.

Hope this helps.


erenedo
Organizer

Hi again, Kris.

Thanks for your answer.

A question: is the amount of data shown in "encrypted data exchange" the same that the amout of data shown launching ssldecr status IP command with the difference "encrypted data exchange" is shown in operations and ssldecr status IP in sessions?

If the question is not clear don´t hesitate asking me.

Regards,

Elena.


Yes this is true. AMD's status centers around sessions because decryption occurs for a session: keys are negotiated per session, if session breaks then all pages within session wont be reported etc. But for a user, per-page information is more important, as this reflects user experience.