SSL module

From Allegro Packets Product Wiki
Jump to navigation Jump to search

The SSL module processes encrypted SSL/TLS traffic and stores the visible names of the SSL server internally for cross-referencing so that name lookup is possible for an IP even if no DNS name has been seen for it. Since a server may handle multiple instances of encrypted services, multiple names can be seen as well for an IP. The SSL modules stores all names for each IP which helps seeing which servers in the network handle which specific service. Also, the response times of the server for the initial SSL handshake and the first data transmission is measured as well to quantify the quality of the SSL connections. The available information is:


  • SSL server name: This identifier is set by the client of a connection to indicate which specific service the user wants to connect to. This is similar to the Host header of an HTTP request, when a server handle multiple virtual hosts.
  • SSL common name: This is the identifier set in the SSL certificate returned by the server. This indicates for which domains the server is responsible for. It may be identical to the requested SSL server name, but often it is a wildcard for any subdomain of the given host. For example, the requested server name may be www.google.com while the common name of the returned certificate may be *.google.com.
  • SSL handshake response time: The time between the SSL client hello and the SSL server hello is measured for statistical analysis.
  • SSL data response time: The time between the first SSL client data and the SSL server data is measured for statistical analysis.


Web interface

SSL module.png

The web page of the SSL module uses three tabs for showing all available information. At the top of the page, you will find a button which links to this documentation and a thrashcan button to clear all the statistics.


SSL servers

The first tab SSL servers shows a list of all IP addresses for which SSL information could be retrieved. The table of IP addresses contains a search bar where you can enter an IP address or string which is matched against all name fields. This makes it possible to search for a specific IP or to find all IP addresses involved for a given certificate name. The columns are as follows:


  • IP address: This is the IP address for which SSL information has been seen. Clicking on it will lead to the IP module page of the same IP address.
  • Country: The country code for the corresponding IP.
  • Alternative names: All known names for that IP address are shown in the column. This includes the DNS name and DHCP name, if available.
  • Server name: As described above, this is the name requested by the client. Since an IP may host multiple services, all seen names are listed here.
  • Common name: Similar to the server name, the common names of all seen certificates are listed here, which have been returned by the server.
  • Capture: The capture button allows to directly capture traffic for the corresponding IP address.


Most accessed SSL servers

The second tabs shows the top list of all accessed SSL servers, showing the most accessed server first. The list contains the number of requestes, the IP (with a link to main server list filtered for that IP), the country of that IP, and alternative names known for this IP.


SSL response times

The third tab show global statistics of all SSL requests and a list of all SSL servers for which response times could be calculated.

The global statistics contains for the SSL handshake and first SSL data transmission:

  • the number of handshakes/data responses: This is the total number of requests/responses that have been seen on the network.
  • Average response time: This is the average response time in milliseconds for all servers.
  • Standard deviation: This value shows the variation of the response times (https://en.wikipedia.org/wiki/ Standard_deviation)
  • Minimum response time: This is the smallest response time seen on the network.
  • Maximum response time: This is the largest response time seen on the network.

Next to each table (handshake time and data time) there is a chart about the number of servers with good, bad, or medium response quality. The table is split to local servers (those within private thumbnetworks) and global servers (all the rest). The green plus symbol contains all servers with a quality score of 4 or more, the orange symbol covers all servers with a quality score between 3 and 4, and the red minus symbol covers all servers with a quality score of less than 3. The list of servers below can be sorted for the quality value to view the relevant servers from each category. Below the global statistics there are two graphs for historical data for handshake and SSL data responses. The data points are the average response time in the given time window (depending on the zoom level), and the top and bottom line shows the maximum and minimum response time in that time frame.


Below the graphs there is the list of all HTTP servers with the following columns:

  • IP: The server IP. Clicking on it leads to the connection view of the IP module which allows to see the actual connections with the response times.
  • Country: The country code for the IP address.
  • Type: This column indicates both rows of data shown in the following columns. The first line is the SSL handshake time, and the second column is the SSL data resonse time.
  • No of response: The number of SSL requests/responses seen for this IP address.
  • Avg response time: This is the average response time for this IP address.
  • Deviation: This is the standard deviation for all response times of this IP address.
  • Min response time: The minimum response time in milliseconds.
  • Max response time: The maximum response time in milliseconds.
  • Score: The score is a value between 1 and 5 describing the quality of the HTTP server. 1 means the worst quality, 5 means the best quality. The value is calculated based on a scoring algorithm. The score allows to quickly sort for quality and identify bad performing servers. For sorting, the smaller of both response times is used.
  • Alternative names: The column contains other names for this IP address, from whatever name source that is available (DNS, DHCP, ...).


Negotiated SSL/TLS cipher suites

This tab shows all server negotiated SSL/TLS cipher suites in a table. Per cipher suite the name, number of SSL server hellos (which contains the cipher suite negotiation) and a graph with server hellos over time are shown. By click on a cipher suite a detail page is shown with a table of all IPs that used this cipher suite in a SSL connection either as server or client. A graph shows the server hellos having that IP as either source or destination over time. When clicking on an IP address the connection tab of that particular IP address is shown with a preset filter of SSL connections with that cipher suite to allow further investigation.