SSL Decryption

You want to read the traffic in an SSLDUMP scenario ?

Can you expand on what you want ?

N.B The port that is in use doesn't necessarily reflect that the traffic is encrypted.

Please add some more comments to understand your requirement.

I want to see some thing from the tcpdump output based on client ip; however, although disabling ssl by using irule, i could not see anything and any traffic. I have applied irule shown below https VS.

when HTTP_REQUEST {

if { [ip::addr [ip::client_addr] equals "1.1.1.1%1/32"] } {

ssl::disable

pool http_pool

}

}

Did you configured ssl server profile?

anyway...

First you need to capture the traffic:

on your f5 run this command:

tcpdump -i any -vvv -s 0 -nn -w /var/tmp/filename.cap "(host x.x.x.x and host y.y.y.y and port 443)"

where:

x.x.x.x

y.y.y.y

while running this command you should try to browse from the

x.x.x.x Client

virutal server (y.y.y.y)

then go back to the f5 command and press CTRL + C to stop the capture.

you should see something like:

tcpdump: listening on any, link-type EN10MB (Ethernet), capture size 65535 bytes

Got 256

that mean you have successfuly captured some traffic.

now you want to examine the SSL traffic:

on your f5 run this command:

ssldump -Aed -nr /var/tmp/filename.cap -k /config/ssl/ssl.key/your_keyfile.key

you should replace

/config/ssl/ssl.key/your_keyfile.key

you can find the key file on your f5 with this command:

find / -iname *.key*

Beginning in BIG-IP 11.x, the SSL profile keys are stored in the /config/filestore/files_d/_d/certificate_key_d/ directory.

now you should see your application_data decrypt like this:

3 7 1247932735.6286 (0.0031) C>SV3.1(436) application_data
---------------------------------------------------------------
GET / HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 1.1.4322; msn OptimizedIE8;ENUS)
Accept-Encoding: gzip, deflate
Host: 172.24.72.169
Connection: Keep-Alive

more information can be found here:

You can't disable SSL in the HTTP_REQUEST event - to receive the HTTP request you would presumably have had to setup the SSL first. You should disable SSL in client_accepted, prior to the SSL being setup.

Rather confused why you want to do this though - maybe you can explain in more detail. Is it just to see the traffic en clair?