Having gone through our SSL Series on Elliptic Curve Cryptography and Perfect Forward Secrecy you should have a good understanding of these technologies and why they are important to your organization. Our last article demonstrated how to successfully implement ECC and PFS on a LineRate System. This article provides insight into how to verify the implementation of SSL with ECC+PFS on LineRate has been properly done. Specifically, the article will detail how to check for ECC SSL on the wire via WireShark and in the browser. Let's get started!
By browsing to https://ssloffload.lineratesystems.com, it is observed that the ECC secp384r1 curve is being used to secure the session. Figure 1 details the specific network configuration we now have. Note that ssloffload.lineratesystems.com is a private, RFC1918 address and will not work directly for you.
Figure 1: Detail network overview of the SSL/TLS Offload configuration with LineRate
Figure 2 details the HTTPS request from a client machine to https://ssloffload.lineratesystems.com:
Figure 2: Inspecting the ECC+PFS certificate for the HTTPS session
An investigation into the SSL negotiation details from the client to the LineRate systems shows that the ECDHE cipher suite is indeed used in combination with the secp384r1 ECC curve. A pcap of the SSL/TLS handshake has been included at the end of this article if you would like to investigate this process further. Figure 3 details the highlights of the SSL handshake negotiation detailing that the PFS is present (via the Elliptic Curve Diffie–Hellman Exchange, or ECDHE, cipher suite used) and the ECC Curve that was successfully negotiated is indeed secp384r1:
Figure 3: Ensuring ECC+PFS cryptography is chosen to secure the client's communication
A network capture for the proxied request from the client to the web server can be seen below in Figure 4. Note that the communication is unencrypted while in the secure datacenter. This proves that the SSL Offload on the LineRate system has been successfully implemented, alleviating our internal servers of the cryptography burden. A pcap of the HTTP request has been included at the end of this article if you would like to investigate this HTTP request further.
Figure 4: Ensuring the SSL client request to the web server has been successfully offloaded on LineRate
Thus far, you should have a good understanding of Elliptic Curve Cryptography and Perfect Forward Secrecy and why it is important to your organization. An SSL Offload system has now been successfully implemented as well. LineRate offers a very competitve $ per SSL Terminations-per-second and can quickly and easily be help your organization implement an SSL Offloading system. Here are a few additional benefits LineRate offers:
Move over RSA: ECC crypto is here to stay! From this demonstration, it is easy to see that LineRate is a great way to quickly and easily deploy better performance and security with SSL. Take LineRate and test out its SSL Offloading capabilities for a spin!
In case you missed any content, or would like to reference it again, here are the articles related to implementing SSL Offload with ECC and PFS on LineRate: