For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RobertWebb_7911's avatar
RobertWebb_7911
Icon for Nimbostratus rankNimbostratus
Jan 21, 2015

Decrypt SSL when using APM and clientless mode

So I have a setup where the end user sends me http posts. I have the LTM setup with an APM profile attached and use the proxypass irule for apm.

 

When my end users send a post through, if I do a tcpdump and then try and decode the conversation between the F5 and the backend server using the backend server's private key, I cannot. However, if I access the same URL with a web browser and clientless mode turned off, I can decode the tcpdump with no issue.

 

What is different about the way clientless mode handles the http stream that is different?

 

application delivery
BIG-IP Access Policy Manager (APM)
LTM
security

2 Replies

  • Amit_Karnik's avatar
    Amit_Karnik
    Icon for Nimbostratus rankNimbostratus
    Jan 26, 2015

    Can you do the tcpdump anyways and see the cipher which gets negotiated ? It might be related to that.

     

    Another reason could be related to SSL session caching on the LTM. If the session is cached the tcpdump would not be capture the secrets which negotiated early on.

     

  • RobertWebb_7911's avatar
    RobertWebb_7911
    Icon for Nimbostratus rankNimbostratus
    Jan 26, 2015

    Ciphers are good as the two ends do talk to each other with no issues. We were trying to troubleshoot some problems with data in a SOAP message and I needed to see the data from the back end server side to prove that the F5 wasn't changing anything outbound to the client.

     

    However, at this point, we have that issue fixed, but I think your theory on the session being cached and not seeing the negotiated secrets is correct.