Earlier this year, the IETF finalized the TLS 1.3 specification which introduces performance enhancements as well as mandates perfect forward secrecy (PFS). This came as an unpleasant surprise to many enterprise IT organizations who need to passively decrypt and analyze network traffic for a variety of reasons, but they were too late to the party to change things.
ExtraHop's customers had already asked us to develop a solution for passively decrypting PFS traffic that wouldn't require an expensive man-in-the-middle appliance. That solution involves deploying a session key forwarding agent (we like to call it a "secret agent") on the customer-controlled servers that you want to analyze traffic to and from. An alternative is to use an F5 BIG-IP application delivery controller to extract those session keys and then forward them to the ExtraHop appliance.
Our friends at F5's DevCentral put together a lightboard video and blog post detailing how to implement this solution. Give it a watch!