Forum Discussion

Cirrus

Jul 20, 2022

Decrypting SSL traffic - PMS and egress

Hi - two questions combined. Background - trying to catch and decipher tcpdump both for Client -> VIP and F5-> Pool Members traffic I'm following this tutorial: Decrypt with tcpdump --f5 ssl I ma...

Cirrostratus

thank you for sharing your script.

Sorry to bump this old thread.

For some reason only the client side traffic get's decrypted. Communication between LTM and nodes are still encrypted. I'm using the tcpdump command as mentioned in your github.

Any idea?

David_Larsen

Employee

Mar 04, 2024

One thing to take into account is if you have a OneConnect profile applied to the virtual server the Serverside connections could have established SSL handshakes before you take the capture and not be able to be decrypted. You have to make sure all connections on the serverside and clientside are deleted before starting the capture otherwise you may not be able to decrypt.

You should also use a filter that includes the ServerSide nodes specifically and not rely on the :nnnp to gather that data if you are looking to decrypt the serverside traffic.

Ichnafi
Cirrostratus
Mar 04, 2024
Hi,
thank you for your input.
Sadly it does not work.
did check if any tcp connection exists for this VS
used a fresh browser
no oneconnect profile
no http/2
added node IPs to tcpdump filter
one can see complete TCP and SSL handshake between LTM and node in the capture

The LTM still uses a rather old version (15.1), so maybe it's an issue there?
- David_Larsen
  Employee
  Mar 06, 2024
  That version should work.
  
  Is there a ServerSSL profile?
  
  Is there a HTTPS health monitor?
  
  Is the pool member IP used in any other pools?
  
  There are a number of ways there could be an open connection to the server that already establish the SSL handshake. I'm wondering if it is something we are not thinking of that could have it open already.
  - Ichnafi
    Cirrostratus
    Mar 08, 2024
    Tried capturing a different VS (with same settings, profiles,..) on the same LTM. This time everything worked as expected.
    So, never mind. Your scripts work. Thank you for sharing!

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Decrypting SSL traffic - PMS and egress

Recent Discussions

Background Tasks

Which process is consuming higher CPU

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Client SSL Profile set to Require Client Certificate breaks RDP in APM

Related Content

K50557518: Decrypt SSL traffic with the SSLKEYLOGFILE...

fellow traffic

TLS Fingerprinting to profile SSL/TLS clients without decryption

Managing Kubernetes Traffic With F5 NGINX: A Practical Guide

Air Gap Egress Inspection with SSL Intercept iApp Template

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS