Recently our infra undergoing changes, some of the webservers and appservers from window 2008 r2 move to window 2012 r2. This caused the cipher order to changes as OS is different. And we can see failed to decrypt ECDHE. I have capture data using traffic diagnostic in CAS, limited to just one IP address. I'm using wireshark to view the pcap file, and are trying to find the start point when encryption pick ECDHE instead of the other cipher. I need some advise as I have little to none experience usinf wireshark.
Additional info about the infra: Request -> load balancer -> webseal -> load balancer -> web server.
Thanks & Best wishes,
That is done in the initial handshake. One way to maintian visibility is possibly to move your capture Point to after the Webseal wich normally handles the SSL piece.
Just sharing following information in case.
If you are NOT using any of the anonymous key agreement protocols (DHE, ECDH, ECDHE), your new certificate file must also contain your private key.