Wireshark can be used to decode and decrypt SSL-TLS-encrypted communications between a client application and the CA API Gateway appliance. This article has the following limitations:
Decrypting SSL/TLS-encrypted traffic requires access to the private key used by the server. If the Gateway is the server for a TCP connection then the Gateway's private key can be exported and used. If the Gateway is a client for a TCP connection then it would be necessary to procure the key from the server or service administrator. This article will focus on using the Gateway as a server.
A packet capture cannot be decrypted if an SSL/TLS channel is opened with cipher suites using Diffie-Hellman key exchange (which includes elliptic curve ciphers). Diffie-Hellman key exchange allows for perfect forward secrecy. Perfect forward secrecy prevents an attacker from taking a packet capture and decrypting the capture later after a set of keys are compromised. This limitation prevents even a valid administrator from decrypting a packet capture after the transaction is complete.
Using a hardware security module prevents a packet capture from being decrypted as private keys present in the HSM cannot be exported. Private keys that were created elsewhere and stored within an HSM-secured keystore can still be used but cannot be exported from the Gateway and will have to be exported from another system.
ssl.handshake
The SSL debug log specified previously will contain data for each packet dissection and decryption. Note the frame number (specified by the No. column) and open the SSL debug log. Search for this frame number (or a similar frame number) in this log and note the error message.