cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

Verification of generated SSL key

akshay_shinde2
Inactive

Hello,

I have received the key from AM team in .keystore format. Somehow I manage to convert that into .pem format & same has been added to AMD for decrypting the SSL traffic. But when I checked for below command it gives me nothing.

rcmd show ssldecr status xx.xx.xx.xx

I checked that this application is using DH key exchange but I suppose the command at least should show me the cipher suit details that application is using because when I verified it for other application who is also using the DH it shows the output like,

Cipher-suites:

+ TLS1.0-RSA-RSA-AES-256-CBC-256-SHA ref=1


- TLS1.0-DH-RSA-AES-256-CBC-256-MD5 ref=12

Unknown cipher-suites:

- c014 ref=105874

- c028 ref=122180

- c030 ref=829715

Is it possible that the key I produced from .keystore is wrong. Please guide.

BR,

Ak

3 REPLIES 3

Rafal_Brzezinsk
Dynatrace Helper
Dynatrace Helper

Hi Akshay,

Those unknown are mutation of DH as well:

c014 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

c028 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

C030 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

so you have only 1 session which is using supported cipher.

To verify if the key is recognized please run:

show ssldecr status keys

from rcon.

Regards

Hi Rafal,

Thanks for your comment but the key which is question is showing only read not matched.

And off course it will show only read as application uses DH but I suspect the extracted key from original .keystore is not correct.

Is there any way to validate the .pem key?

BR,

AK

Rafal_Brzezinsk
Dynatrace Helper
Dynatrace Helper

Hi,

Status read means that key is correct, status matched means that there was no traffic to match this key.

Rgds