You can use the AMD console rcon to check on the operation of the decryption mechanism.

High Speed AMD

The following rcon commands are available for High Speed AMD only:

 SSLDECR STATUS

Command SSLDECR STATUS gives the status information for the decryption engine and lists the statistics of the observed sessions. Internal decryptor diagnostics are also provided. You can use the command with the following options:

ssldecr status - showing the summary status for all servers.

ssldecr status all - showing the detailed status for each server individually.

ssldecr status [IP_address port_number] - showing the detailed status for a selected server.

Output

All of the information and statistics given by the command relate to the period of time since the last restart of the device.

The first section of the output gives status information for the decryption engine. Note the SSL engine mode (native, auto or thread) included in parentheses and statistics of how many private keys have been matched or failed to match.

The second section gives session statistics. Note that there are no statistics for “partially decrypted session in progress” that is, for sessions with some errors but for which decryption is still continuing. This is because as soon as there is an error, the decryption process is terminated and the session is counted as “finished”, even though the actual transfer of data may still continue and byte and packet statistics are still counted.

Note also the term “reused sessions”. This applies to sessions for which the server agrees to continue using an already established session key from earlier on. This is referred to as a short handshake, as compared to a long handshake when the entire process of establishing an SSL connection is started again.

Example

>$ ssldecr status
SSL DECRYPTION STATUS:
        CONFIGURATION: Engine:openssl(native) status:OK
                Keys recognized=65 not recognized=0
                Engine states: blocked=0, initializations=1
        SESSIONS:
           Total number of sessions=363631 (inProgress=3967 Finished=359664)
           SSL protocol version breakdown per number of sessions:
                supported versions: ssl3.0=133090 tls1.0=150188 tls1.1=399 tls1.2=338
                unsupported versions: ssl2.0=25 other versions=0 no version info=78677
           Long handshakes=39980 Short handshakes=244214 Compressed sessions=0 SessionTkt reused=0 SessionId reused=241292
           Finished sessions decrypted with no errors=242548 (67% of all finished sessions)
           Finished sessions decrypted partially=2228 (0% of all finished sessions)
                with a packet lost during payload data exchange=1489
                with a corrupted payload data packet=2
                with decryption failed during payload data exchange=0
                terminated by alert during payload data exchange=737
           Finished sessions not decrypted=114267
                with no private key found=389 (new sessions=167 reused sessions=222)
                with a corrupted handshake packet or incorrect handshake sequence=1087 (new sessions=1087 reused sessions=0)
                with decryption broken during handshake=0 (new sessions=0 reused sessions=0)
                with unsupported SSL version=25 (ssl2.0=25 otherVersions=0)
                with unsupported SSL feature=475 (unsupported cipher=20  server key exchange=455)
                with compression errors=0 (unsupported compression=0, cannot decompress control records=0 data records=0)
                with RSA decryption failed=0, RSA invocations blocked=0 (new sessions=0 reused sessions=0)
                reused sessions with no matching master session seen before=30915
                with incomplete SSL handshake=2728 (new sessions=2728 reused sessions=0)
                closed without data=8007
                with invalid 'Hello' packet client=0, server=3
                terminated by alert during handshake=30
                reuse errors when PMS identified with session id=28707, with session ticket=0
                session not seen from the beginning=70239
                with other errors=7
           Supplemental Data detected, server=0 client=0
        Cipher suite diagnostic:
                Well know cipher-suites:
                        * TLS_RSA_EXP_RSA_WITH_RC4_128_MD5 ref=459
                        + TLS_RSA_WITH_RC4_128_MD5 ref=277381
                        + TLS_RSA_WITH_RC4_128_SHA ref=6226
                        + TLS_RSA_WITH_DES_CBC_SHA ref=40
                        + TLS_RSA_WITH_3DES_EDE_CBC_SHA ref=40
                        - TLS_DH_RSA_WITH_DES_CBC_SHA ref=20
                        + TLS_RSA_WITH_AES_128_CBC_SHA ref=28
                Unknown cipher-suites:
        Supported extensions:
        Unknown extensions:
                        ID=65281 ref=5805
        PMS CACHE INTERNAL DIAGNOSTICS:
                entries added (a=)80510 (asInitialized=13679 asUninitialized= 8730 withErrorCode=58101)
                entries changed (c=)101367 (toInitialized=25509 toUninitialized=0 toError=75858)
                entries deleted (d=)52445
                total entries in cache (n=)28065
 SSLDECR LOGLEVEL

Command SSLDECR LOGLEVEL sets diagnostic tracing level to log SSL session history in /var/log/adlex/rtm.log.

SSLDECR LOGLEVEL level

Where level can be one of the following:

  • DISABLE - Turn off logging of SSL diagnostic information. No SSL diagnostic information is written to the log file.
  • ERROR - Log SSL diagnostic information only for sessions with errors.
  • ALL - Log SSL diagnostic information for all sessions.
  • EVENTS - Display detailed information about every event that will be logged.

Note:

Since this option generates large log files, We recommend that it should not be enabled in production environment.

Output

The command outputs the new level of diagnostic logging of SSL information.

Example

>$  SSLDECR LOGLEVEL STATUS 
SSL log turned on for all sessions

>$  SSLDECR LOGLEVEL DISABLE 
SSL log turned off

>$  SSLDECR LOGLEVEL STATUS 
SSL log turned off

>$  SSLDECR LOGLEVEL ERROR 
SSL log turned on for sessions with errors

>$  SSLDECR LOGLEVEL STATUS  
SSL log turned on for sessions with errors

>$  SSLDECR LOGLEVEL ALL 
SSL log turned on for all sessions

>$  SSLDECR LOGLEVEL EVENTS 
SSL log turned on for all sessions

Classic AMD

The following rcon commands are available for Classic AMD only:

 SHOW SSLDECR STATUS

This command is available only in the Classic AMD.

Command SHOW SSLDECR STATUS gives the status information for the decryption engine and lists the statistics of the observed sessions. Internal decryptor diagnostics are also provided. Note that it is only available in Classic AMD.

SHOW SSLDECR STATUS
SHOW SSLDECR STATUS IP_address port_number

Output

All of the information and statistics given by the command relate to the period of time since the last restart of the device.

Note:

Optionally indicating the IP address and the port number of a server limits the output to the specified server.

The first section of the output gives status information for the decryption engine. Note the SSL engine mode (native, auto or thread) included in parentheses and statistics of how many private keys have been matched or failed to match.

The second section gives session statistics. Note that there are no statistics for “partially decrypted session in progress” that is, for sessions with some errors but for which decryption is still continuing. This is because as soon as there is an error, the decryption process is terminated and the session is counted as “finished”, even though the actual transfer of data may still continue and byte and packet statistics are still counted.

Note also the term “reused sessions”. This applies to sessions for which the server agrees to continue using an already established session key from earlier on. This is referred to as a short handshake, as compared to a long handshake when the entire process of establishing an SSL connection is started again.

Example

>$  SHOW SSLDECR STATUS 
SSL DECRYPTION STATUS:
        CONFIGURATION: Engine:openssl(thread) status:OK
                     Keys: recognized=3 not recognized=0
   SESSIONS:
       Total number of sessions=67741 (in progress=29952 finished=37789)
       SSL protocol version breakdown per number of sessions:
         supported versions= ssl3.0=21755 tls1.0=0
         unsupported versions= ssl2.0=0 tls1.1=0 tls1.2=0 other versions=0 no version info=15743
       New sessions=2336 Reused sessions=19419
       Finished sessions decrypted with no errors=0 (0% of all finished sessions)
       Sessions in progress decrypting with no errors=2774 (9% of all sessions in progress)
       Finished sessions decrypted partially=187 (0% of all finished sessions)
           with a packet lost during payload data exchange=187
           with a corrupted payload data packet=0
           with decryption failed during payload data exchange=0
       Finished sessions not decrypted=37602 (99% of all finished sessions)
           with no private key found=0 (new sessions=0 reused sessions=0)
           with a packet lost during handshake=364 (new sessions=364 reused sessions=0)
           with a corrupted handshake packet or incorrect handshake sequence=79 (new sessions=79 reused sessions=0)
           with decryption broken during handshake=15 (new sessions=15 reused sessions=0)
           with unsupported SSL version=0 (ssl2.0=0 tls1.1=0 tls1.2=0 other versions=0)
           with unsupported SSL feature=0 (unsupported cipher=0 unsupported compression=0 server key exchange=0)
           reused sessions with no matching master sessions seen before=15740
           with incomplete SSL handshake=15511 (new sessions=15723 reused sessions=0)
											terminated by alert (during handshake=212 during payload data exchange=0)
           session not seen from the beginning=5681
           with other errors=0
   RSA DECRYPTOR INTERNAL DIAGNOSTICS:
       init/init errors (I=)2095/0
       finalize/finalize errors (f=)1864/0
       cancel/cancel errors =)0/0
       parallel curr/avg/max (p=)231/115/231
       sessions on hold total/curr/avg/max(h=)0/0/0/0
   PMS CACHE INTERNAL DIAGNOSTICS:
       entries added (a=)10056 (initialized=1823 uninitialized=8209 error=24 )
       entries changed =)155 (toInitialized=41 toUninitialized=0 toError=114 )
       entries deleted (d=)0
       total entries in cache (n=)10056

Optionally, the * parameter can be used in the command to display statistics grouped per server.

>$  SHOW SSLDECR STATUS * 
SSL DECRYPTION STATUS for server 10.10.10.10 port 443:
	SESSIONS:
	     Total number of sessions=51114 (inProgress=1 Finished=51113)
	     SSL protocol version breakdown per number of sessions:
		       supported versions: ssl3.0=620 tls1.0=28114 tls1.1=0 tls1.2=0
		       unsupported versions: ssl2.0=0 other versions=0 no version info=22372
	     Long handshakes=5275 Short handshakes=12288 SessionTkt reused=0 SessionId reused=22255
	     Finished sessions decrypted with no errors=13767 (26% of all finished sessions)
	     Sessions in progress decrypting with no errors=0 (0% of all sessions in progress)
	     Finished sessions decrypted partially=1292 (2% of all finished sessions)
		       with a packet lost during payload data exchange=1292
		       with a corrupted payload data packet=0
		       with decryption failed during payload data exchange=0
		       terminated by alert during payload data exchange=0
	     Finished sessions not decrypted=36054 (70% of all finished sessions)
		       with no private key found=0 (new sessions=0 reused sessions=0) 
		       with a packet lost during handshake=496 (new sessions=436 reused sessions=60)
		       with a corrupted handshake packet or incorrect handshake sequence=0 (new sessions=0 reused sessions=0)
		       with decryption broken during handshake=0 (new sessions=0 reused sessions=0) 
		       with unsupported SSL version=0 (ssl2.0=0 otherVersions=0)
		       with unsupported SSL feature=11171 (unsupported cipher=11171 compression=0 server key exchange=0)
		       reused sessions with no matching master session seen before=2178
		       with incomplete SSL handshake=97 (new sessions=97 reused sessions=0)
		       terminated by alert during handshake=79
		       reuse errors when PMS identified with session id=2238, with session ticket=0 
 		       session not seen from the beginning=22033
		       with other errors=0
	SSL cipher-suites status:
	+ RC4-MD5                     id=04 kex=RSA sig=RSA enc=RC4  dig=MD5 ref=14590
	+ RC4-SHA                     id=05 kex=RSA sig=RSA enc=RC4  dig=SHA ref=119
	- DH-RSA-DES-CBC-SHA          id=0F kex=DH  sig=RSA enc=DES  dig=SHA ref=4234

SSL DECRYPTION STATUS for server 50.50.50.50 port 443:
	SESSIONS:
	     Total number of sessions=51114 (inProgress=1 Finished=51113)
	     SSL protocol version breakdown per number of sessions:
		       supported versions: ssl3.0=620 tls1.0=28114 tls1.1=0 tls1.2=0
		       unsupported versions: ssl2.0=0 other versions=0 no version info=22372
	     Long handshakes=5275 Short handshakes=12288 SessionTkt reused=0 SessionId reused=22255
	     Finished sessions decrypted with no errors=13767 (26% of all finished sessions)
	     Sessions in progress decrypting with no errors=0 (0% of all sessions in progress)
	     Finished sessions decrypted partially=1292 (2% of all finished sessions)
		       with a packet lost during payload data exchange=1292
		       with a corrupted payload data packet=0
		       with decryption failed during payload data exchange=0
		       terminated by alert during payload data exchange=0
	     Finished sessions not decrypted=36054 (70% of all finished sessions)
		       with no private key found=0 (new sessions=0 reused sessions=0) 
		       with a packet lost during handshake=496 (new sessions=436 reused sessions=60)
		       with a corrupted handshake packet or incorrect handshake sequence=0 (new sessions=0 reused sessions=0)
		       with decryption broken during handshake=0 (new sessions=0 reused sessions=0) 
		       with unsupported SSL version=0 (ssl2.0=0 otherVersions=0)
		       with unsupported SSL feature=11171 (unsupported cipher=11171 compression=0 server key exchange=0)
		       reused sessions with no matching master session seen before=2178
		       with incomplete SSL handshake=97 (new sessions=97 reused sessions=0)
		       terminated by alert during handshake=79
		       reuse errors when PMS identified with session id=2238, with session ticket=0 
 		       session not seen from the beginning=22033
		       with other errors=0
	SSL cipher-suites status:
	+ RC4-MD5                     id=04 kex=RSA sig=RSA enc=RC4  dig=MD5 ref=5345
	+ AES128-SHA                  id=2F kex=RSA sig=RSA enc=AES-128-CBC dig=SHA ref=2854
	- DHE-RSA-AES128-SHA          id=33 kex=DH  sig=RSA enc=AES-128-CBC dig=MD5 ref=11171
 SHOW SSLDECR LOGLEVEL

This command is available only in the Classic AMD.

Command SHOW SSLDECR LOGLEVEL displays current level of logging SSL diagnostic information. This command is equivalent to SSLDECR LOGLEVEL STATUS.

SHOW SSLDECR LOGLEVEL

Output

The following levels of logging can be returned by the command:

  • SSL log turned off

  • SSL log turned on for sessions with errors

  • SSL log turned on for all sessions

Examples

 >$  SHOW SSLDECR LOGLEVEL 
SSL log turned on for all sessions

>$  SSLDECR LOGLEVEL DISABLE 
SSL log turned off

>$  SHOW SSLDECR LOGLEVEL 
SSL log turned off

>$  SSLDECR LOGLEVEL ERROR 
SSL log turned on for sessions with errors

>$  SHOW SSLDECR LOGLEVEL  
SSL log turned on for sessions with errors

>$  SSLDECR LOGLEVEL ALL 
SSL log turned on for all sessions

>$  SHOW SSLDECR LOGLEVEL 
SSL log turned on for all sessions
      
 SHOW SSLDECR CERTS

This command is available only in the Classic AMD.

Command SHOW SSLDECR CERTS lists full text of all observed server certificates. The information displayed applies to the period of time since the last reset of the device.

SHOW SSLDECR CERTS

Output

The command outputs the full text of each seen certificate.

Example

 Certificates:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: CN=OpenSSL Test Certificate
        Validity
            Not Before: Aug 29 15:33:18 2006 GMT
            Not After : Aug 29 15:33:18 2007 GMT
        Subject: CN=OpenSSL Test Certificate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:cc:c7:83:e3:6e:62:38:d1:f1:63:5a:fe:54:29:
 					...
                    91:32:c8:70:3a:3f:e4:44:88:4b:82:92:7f:1d:2c:
                    6b:6e:eb:a3:cc:20:7f:09:a7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
            A2:57:FD:29:37:C9:1C:72:45:21:81:72:AE:71:31:CB:9E:BA:F8:CC
            X509v3 Authority Key Identifier:
            keyid:A2:57:FD:29:37:C9:1C:72:45:21:81:72:AE:71:31:CB:9E:BA:F8:CC
            DirName:/CN=OpenSSL Test Certificate
            serial:00

            X509v3 Basic Constraints:
            CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
        74:8b:17:f9:fc:2c:16:a2:a7:b5:9d:2d:5d:1d:c4:f9:23:0c:
		...
        e6:ca:e4:fd:3a:3a:55:0c:d8:cc:e8:9a:22:03:64:7a:0a:9d:
        2e:0b
 SHOW SSLDECR CIPHERS

This command is available only in the Classic AMD.

Command SHOW SSLDECR CIPHERS displays information on the supported and unsupported cipher suites and statistics on cipher suite usage. The statistical information displayed applies to the period of time since the last reset of the device.

SHOW SSLDECR CIPHERS

Output

The output lists cipher suites one per line. The list entitled SSL cipher-suites status lists all cipher suites known to the AMD and the list entitled ignored cipher-suites gives cipher suites that have been observed but have not been identified by the AMD.

In the list of known cipher suites, the following designations are used:

+Denotes supported suites.
-Denotes unsupported suites.
*Denotes conditionally supported suites, that is suites supported for key size not bigger than a defined upper limit.
idThe cipher suite identification represented in hexadecimal code.
kexThe key exchange algorithm.
sigThe authentication algorithm.
encThe private key encryption algorithm.
digThe digest algorithm.
refThe number of times the cipher was observed.

In the ignored cipher-suites list, the entry before the colon gives the cipher suite identification represented as a hexadecimal value (this corresponds to the id column in the first list), and the entry after the colon is the number of times the cipher was observed (this corresponds to the ref column in the first list).

Example

>$  SHOW SSLDECR ciphers 
SSL cipher-suites status:
	- UNKNOWN                     id=00 kex=UNKNOWN sig=UNKNOWN enc=MD5  dig=NONE ref=0
	+ NULL-MD5                    id=01 kex=RSA sig=RSA enc=UNKNOWN dig=MD5 ref=0
	+ NULL-SHA                    id=02 kex=RSA sig=RSA enc=UNKNOWN dig=SHA ref=0
	* EXP-RC4-MD5                 id=03 kex=RSA_EXP sig=RSA enc=RC4  dig=MD5 ref=0
	...
	- DH-RSA-AES256-SHA           id=37 kex=DH  sig=RSA enc=AES-256-CBC dig=MD5 ref=0
	- DHE-DSS-AES256-SHA          id=38 kex=DH  sig=DSS enc=AES-256-CBC dig=MD5 ref=0
	- DHE-RSA-AES256-SHA          id=39 kex=DH  sig=RSA enc=AES-256-CBC dig=MD5 ref=0
	- ADH-AES256-SHA              id=3A kex=DH  sig=RSA enc=AES-256-CBC dig=MD5 ref=0
ignored cipher-suites:
0000222B:123
00000211:2
 SHOW SSLDECR HELP

This command is available only in the Classic AMD.

Command SHOW SSLDECR HELP displays help information for the SHOW SSLDECR family of commands.

SHOW SSLDECR HELP

Output

The command outputs help information for the SHOW SSLDECR family of commands.

Example

 >$  SHOW SSLDECR HELP 
SHOW SSLDECR HELP      - display this help message
SHOW SSLDECR CERTS     - list full text of all observed certificates
SHOW SSLDECR CIPHERS   - displays information on the supported and unsupported cipher suites
SHOW SSLDECR NAMES     - display Distinguished Name content for all observed client and server certificates
SHOW SSLDECR KEYS      - display summary information for all private keys defined in configuration
SHOW SSLDECR LOGLEVEL  - display current level of logging SSL diagnostic information
SHOW SSLDECR SERVERS   - display summary information for all SSL servers defined in configuration
SHOW SSLDECR STATUS    - show gen
 SHOW SSLDECR KEYS

This command is available only in the Classic AMD.

Command SHOW SSLDECR KEYS displays summary information for all private keys listed in the AMD configuration. The statistical information displayed applies to the period of time since the last reset of the device.

SHOW SSLDECR KEYS

Output

The output consists of one line for each key, with the key name, type, size, and status. For keys that were declared in the configuration (are present on the list of defined keys), but were not successfully read, the type and size are not available. The section ends with a summary line providing information about the total number of keys, the total number of valid keys read successfully, the total number of keys that failed to read, and the number of valid keys matched to certificates.

The status value corresponds to one of the cases:

  • error (syntax error): error when reading key information from the list of configured keys.

  • error (unsupported type): key incompatible with decrypting engine.

  • error (reading failed): Reading of a key failed for some reason, such as key file not present or corrupt.

  • OK (read): The key has been read successfully.

  • OK (matched): The key has been read and matched to a certificate.

Example

 Configuration for SSL private keys:
    <key: 0xc, status: type not supported>
    <key: s1.key, type: file, size: 1024, status: OK (read)>
    <key: k2key.pem, type: file, size: 2048, status: OK (matched)>
    <key: TT.key, type: file, size: 1024, status: OK (read)>
    <key: KK.key, status: read failed>
    <key: openssl.pem, type: file, size: 1024, status: OK (matched)>
    <key: tt22052.key, status: parse error>
Keys total: 7, ok: 4, failed: 3, matched: 2
 SHOW SSLDECR NAMES

This command is available only in the Classic AMD.

Command SHOW SSLDECR NAMES displays Distinguished Name content for all observed client and server certificates.

SHOW SSLDECR NAMES

Output

The command outputs one line per certificate and for each certificate it shows Distinguished Name contents and the number of times the certificate was seen.

Example

>$  SHOW SSLDECR NAMES 
c:31900536 dn:=GB/S=Berkshire/L=Newbury/O=My Company Ltd>
   
 SHOW SSLDECR SERVERS

This command is available only in the Classic AMD.

Command SHOW SSLDECR SERVERS displays summary information for all SSL servers defined in configuration. The statistical information displayed applies to the period of time since the last reset of the device.

SHOW SSLDECR SERVERS

Output

For each server, the IP and PORT is displayed with their corresponding certificates. Each server line is followed by a number of certificate lines, each of which corresponds to a certificate sent from this server, if any.

A server line provides information about the server IP address and port number, the number of certificates seen for this server, the number of keys used for this server, and analyzer status for this server. The number of certificates for a server can be:

  • greater than zero and equal to the number of keys, meaning that all needed keys for this server are available (status is positive).

  • zero, with the number of keys also zero, meaning that no keys were needed for the given server (status is positive).

  • greater than zero and greater than the number of keys, meaning that a key or keys were missing for this server (status is negative).

Each certificate line provides information about the certificate (the Subject field from certificate) and either a key identifier of a matching key or a question mark, if the certificate is not matched to a known key.

The server status is concluded with a summary line giving the total number of servers, the total number of keys needed for those servers, the total number of keys found, and the total number for keys missing for those servers.

Example

 <server: 10.10.10.10(443), certs seen: 1, keys used: 1, status: key(s) found>
		<cert: [/C=US/ST=Michigan/L=Detroit/O=Compuware Corporation/OU=Technology/OU=Hosted by Compuware Corporation/OU=PlatinumSSL SGC], sent: 5275, in progress: 12 key: jira>
		<cert: [/C=US2/ST=Michigan2/L=Detroit2/O=Compuware Corporation2/OU=Technology2/OU=Hosted by Compuware Corporation2/OU=PlatinumSSL SGC2], sent: 532135, in progress: 8 key: jira2>

	<server: 20.20.20.20(443), certs seen: 1, keys used: 1, status: key(s) found>
		<cert: [/C=US2/ST=Michigan2/L=Detroit2/O=Compuware Corporation2/OU=Technology2/OU=Hosted by Compuware Corporation2/OU=PlatinumSSL SGC2], sent: 532135, in progress: 8 key: jira2>
		<cert: [/C=US3/ST=Michigan3/L=Detroit3/O=Compuware Corporation3/OU=Technology3/OU=Hosted by Compuware Corporation3/OU=PlatinumSSL SGC3], sent: 2275, in progress: 12 key: jira3>

  • No labels

2 Comments

  1. Hello,

    For the high speed AMD command, ssldecr status <serverIP>:port, there is no : in the command. I am using the 12.4.11 HS AMD.

    If there is a : it results in a syntax error.

    Regards,

    Harshal.

    1. Hello Harshal,

      Thanks for pointing this out, we have corrected the doc.