F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

canttalkeating's avatar
canttalkeating
Icon for Altocumulus rankAltocumulus
Sep 07, 2019

Capturing Pre-Master Secret (Symmetric key) using ssldump utility

Hello all,   I have been testing the ssldump utility to try and decrypt TLS traffic on the server-side but I cannot get the ssldump utility to capture the RSA Session Keys and output them to a .p...
canttalkeating's avatar
canttalkeating
Icon for Altocumulus rankAltocumulus
Sep 08, 2019

Hi Dario,

 

Thanks for the reply.

 

I had forced the Server-side connection to use a cipher that ssldump can understand:

 

BIG-IP to Web Server

New TCP connection #1: 10.0.100.9(34913) <-> 10.0.100.41(443)

1 1 0.0010 (0.0010) C>S Handshake

   ClientHello

    Version 3.3

    cipher suites

     TLS_RSA_WITH_AES_128_GCM_SHA256

     TLS_EMPTY_RENEGOTIATION_INFO_SCSV

    compression methods

         NULL

 

Web Server to BIG-IP

1 2 0.0021 (0.0010) S>C Handshake

   ServerHello

    Version 3.3

    session_id[32]=

     de a8 c1 05 4f 25 f0 fc 5d ee 9c b1 d1 8c 20 63

     4e 97 3a c7 f4 5d 4a 91 f0 db 4b 57 57 65 d2 e6

    cipherSuite     TLS_RSA_WITH_AES_128_GCM_SHA256

    compressionMethod          NULL

    extensions

     renegotiation_info

 

In production I also use the iRule to gather the RSA Session ID too which works fine on the server-side I just wanted to know if applying an iRule wasn't an option if this could be done with the SSLDump Utility

 

Cheers,

 

David

  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for Noctilucent rankNoctilucent
    Sep 08, 2019

    Hello.

     

    Could you check if your ServerKeyExchange message is has a "not negotiated" value?

     

    BTW, I recommend you this link to see interesting tips about ssldump

    REF - https://packetpushers.net/using-ssldump-decode-ssltls-packets/

     

    KR,

    Dario.