For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

TayF5un's avatar
TayF5un
Icon for Nimbostratus rankNimbostratus
Dec 12, 2016

SSL Decryption

Hi everyone,

 

I have a virtual server dest. ip x.x.x.x:443 and my pool member y.y.y.y:443. Then i want to show traffic with clear text.

 

application delivery
BIG-IP
big-ip ltm

5 Replies

  • IainThomson85_1's avatar
    IainThomson85_1
    Icon for Cumulonimbus rankCumulonimbus
    Dec 12, 2016

    You want to read the traffic in an SSLDUMP scenario ?

     

    Can you expand on what you want ?

     

    N.B The port that is in use doesn't necessarily reflect that the traffic is encrypted.

     

  • TayF5un's avatar
    TayF5un
    Icon for Nimbostratus rankNimbostratus
    Dec 12, 2016

    I want to see some thing from the tcpdump output based on client ip; however, although disabling ssl by using irule, i could not see anything and any traffic. I have applied irule shown below https VS.

     

    when HTTP_REQUEST {

     

    if { [ip::addr [ip::client_addr] equals "1.1.1.1%1/32"] } {

     

    ssl::disable

     

    pool http_pool

     

    }

     

    }

     

  • Dvirus_297774's avatar
    Dvirus_297774
    Icon for Altocumulus rankAltocumulus
    Dec 13, 2016

    Did you configured ssl server profile?

    anyway...

    First you need to capture the traffic:

    on your f5 run this command:

    tcpdump -i any -vvv -s 0 -nn -w /var/tmp/filename.cap "(host x.x.x.x and host y.y.y.y and port 443)"

    where:

    x.x.x.x
    = your client IP

    y.y.y.y
    = your Virtual Server IP

    while running this command you should try to browse from the 

    x.x.x.x Client
    to the of your 
    virutal server (y.y.y.y)
    .

    then go back to the f5 command and press CTRL + C to stop the capture.

    you should see something like:

    tcpdump: listening on any, link-type EN10MB (Ethernet), capture size 65535 bytes

    Got 256

    that mean you have successfuly captured some traffic.

    now you want to examine the SSL traffic:

    on your f5 run this command:

    ssldump -Aed -nr /var/tmp/filename.cap -k /config/ssl/ssl.key/your_keyfile.key

    you should replace 

    /config/ssl/ssl.key/your_keyfile.key
    with your key path. its should be the same key that you configured on your SSL profile

    you can find the key file on your f5 with this command:

    find / -iname *.key*

    Beginning in BIG-IP 11.x, the SSL profile keys are stored in the /config/filestore/files_d/_d/certificate_key_d/ directory.

    now you should see your application_data decrypt like this:

    3 7 1247932735.6286 (0.0031) C>SV3.1(436) application_data
---------------------------------------------------------------
GET / HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 1.1.4322; msn OptimizedIE8;ENUS)
Accept-Encoding: gzip, deflate
Host: 172.24.72.169
Connection: Keep-Alive

    more information can be found here:

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Dec 22, 2016

    You can't disable SSL in the HTTP_REQUEST event - to receive the HTTP request you would presumably have had to setup the SSL first. You should disable SSL in client_accepted, prior to the SSL being setup.

     

    Rather confused why you want to do this though - maybe you can explain in more detail. Is it just to see the traffic en clair?