Jump to content

How to Decrypt SSL Traffic on LTM

Cowboy Denny

Entry posted by Cowboy Denny

127 views

 Share

For this to work you need to decrypt the traffic as it comes in.  Its too late if you did a capture and all the traffic is encrypted.  So this entry is for those of you that would like to do some work ahead of time on the F5 and then have the user do some application testing while you are running a tcpdump.  In many cases for me, I have only needed to do this on our DMZ LTM which is where the our F5 works as an SSL Bridge

SETUP

Put the source IPs in a txt file.  I'm calling mine /var/tmp/app1_dg_nonprod_address.txt

Create a datagroup 

tmsh create /sys file data-group dg.app1.nonprod separator ":=" source-path file:/var/tmp/app1_dg_nonprod_address.txt type ip

Create iRule and reference datagroup 

## irule.ssl.decrypt.app1.nonprod
when CLIENTSSL_HANDSHAKE {
    if {[class match [getfield [IP::client_addr] "%" 1] equals dg.app1.nonprod] } { 
        log local0. "CLIENT_Side_IP:TCP source port: [IP::client_addr]:[TCP::remote_port]"
        log local0. "CLIENT_RANDOM [SSL::clientrandom] [SSL::sessionsecret]"
        log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
        }
}
when SERVERSSL_HANDSHAKE {
    if {[class match [getfield [IP::client_addr] "%" 1] equals dg.app1.nonprod] } { 
        log local0. "CLIENT_Side_IP:TCP source port: [IP::client_addr]:[TCP::remote_port]"
        log local0. "CLIENT_RANDOM [SSL::clientrandom] [SSL::sessionsecret]"
        log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
        }
}

Add iRule to Virtual Server you want to capture traffic on


Start Capture via cli where the iRule is 

tcpdump -ni 0.0:nnn -s0 --f5 ssl host 198.200.19.151 or host 10.46.69.31 -w /var/tmp/app1-ext.hosangit.com_tcpdump_VS_$(date +%d_%b_%H_%M_%S)_$HOSTNAME.pcap

 

Start Capture via cli on downstream F5 (optional) 

tcpdump -ni 0.0:nnn -s0 --f5 ssl host 10.46.69.31 or host 10.46.126.197 or host 10.46.126.242 or host 10.46.126.253 -w /var/tmp/app1-int.hosangit.com_tcpdump_VS_$(date +%d_%b_%H_%M_%S)_$HOSTNAME.pcap


BEGIN testing application to reproduce the error, once error occurs STOP captures by issuing a CTRL + C
Download .pcap file(s)

Get those secrets off the F5 that you have the iRule running 

sed -e 's/^.*\(RSA Session-ID\)/\1/;tx;d;:x' /var/log/ltm > /var/tmp/app1-ext.hosangit.com-sessionsecrets_$(date +%d_%b_%H_%M_%S)_$HOSTNAME.pms

Download the sessionsecrets (.pms file) example: 

/var/tmp/appi-ext.hosangit.com-sessionsecrets_$(date +%d_%b_%H_%M_%S)_$HOSTNAME.pms

 

 Share

0 Comments

Recommended Comments

There are no comments to display.

Guest
Add a comment...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×

Announcements



×
×
  • Create New...

Important Information

Privacy Policy

  I accept