For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nuruddin_Ahmed_'s avatar
Nuruddin_Ahmed_
Icon for Cirrostratus rankCirrostratus
Jul 26, 2016

SSL Decryption

I have tried almost everything to get my file decrypted - using pms as well as using private key but i am not sure whats wrong i am doing. I generated the pms as below -

 

LTMtcpdump -vvv -s 0 -nni external -w /var/tmp/www-ssl-client.cap host 172.16.16.16 LTMssldump -nAder /var/tmp/www-ssl-client.cap -k /config/filestore/files_d/Common_d/certificate_key_d/:Common:client-side-key.key_91736_1 -M /var/tmp/www-ssl-client.pms

 

I trield ssldump with -r only also.

 

after above, i imported the pms in wireshark under pms log file section but it did not decrypt the data. I am sure that i am using the right key file. 172.16.16.16 is the virtual server ip where the requests are landing from external interface.

 

I also took this key, and imported in RSA keys list option with - IP Address - locahost ip address, i have saved the key locally on my desktop Port - 443 Protocol - http key - c:\client-side-key.key_91736_1 Password - BLANK

 

this also did not decrypt the traffic sadly :(

 

can anyone help on this?

 

application delivery
BIG-IP
LTM

4 Replies

  • zeiss_63263's avatar
    zeiss_63263
    Historic F5 Account
    Jul 26, 2016

    Are you absolutely sure that the data wasn't decrypted? This has trapped me before.

     

    Wireshark doesn't seem to parse out the unencrypted payload and instead you have to look at the Application Data payload "Packet Bytes" window. In that window there should be a tab that shows you the raw unencrypted data.

     

  • IainThomson85_1's avatar
    IainThomson85_1
    Icon for Cumulonimbus rankCumulonimbus
    Jul 26, 2016

    Need to make sure the connection wasn't using DHE Ciphers for the connection, (Disable the DHE Cipher suite in the client (+ server if needed) side profiles) Also that you captured the start of the SSL Connection - no good if you had a re-established SSL session.

     

  • Nuruddin_Ahmed_'s avatar
    Nuruddin_Ahmed_
    Icon for Cirrostratus rankCirrostratus
    Jul 26, 2016

    hi zeiss,

     

    yes i am sure it was not decrypted, i was checking the application data paylod

     

    Regards

     

  • zeiss_63263's avatar
    zeiss_63263
    Historic F5 Account
    Jul 26, 2016

    Note also IainThomson85's valid points.

     

    Nuruddin, I didn't say to look at the Application Data payload in the main panel. Check the "Packet Bytes" window for the “Decrypted SSL Data” tab. For an pictorial example, see here: https://jimshaver.net/wp-content/uploads/2015/02/2015-02-11-22_30_28-_Wi-Fi-Wireshark-1.12.3-v1.12.3-0-gbb3e9a0-from-master-1.12.png