Forum Discussion

Ganesh_Garg's avatar
Ganesh_Garg
Icon for Nimbostratus rankNimbostratus
Aug 20, 2016

SSL passphrase lost

Is there any way to retrieve or decrypt the SSL passphrase from F5 as I lost the passphrase. From the article SOL14912, it seems that the retrieval is not possible.

 

devops
LTM
security
TMOS
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Aug 21, 2016

    Hi Ganesh,

    the passphrase is encrypted using the device master key. As long the master key of your device group hasn't changed or (at least) you've created a backup of the master-key, you will be able to restore entire UCS archives or even partial configurations containing secure strings.

    https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9420.html

    https://devcentral.f5.com/articles/working-with-masterkeys

    With this knowledge in mind, you can also fairly easily decrypt a specific secure-string back to plaintext without even knowing the cryptography behind. Just 

    tsmh /list
    the related configuration, grep the containing 
    $M$
    secure-string and create for an example a new HTTP health-monitor containing the exported secure-string as password (via 
    tmsh load sys config merge from-terminal
    ). Attach the monitor to a node of your choice and then use tcpdump/wireshark to sniff the password (aka. B64 credentials) on the wire...

    Cheers, Kai

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Aug 20, 2016

    I would say not possible but I have never explored the options of trying to retrieve it.

     

  • Nick_Schmalenbe's avatar
    Nick_Schmalenbe
    Icon for Nimbostratus rankNimbostratus
    Apr 11, 2019

    I used the HTTP monitor trick described here, it worked perfectly :) The monitor needed to have username as well as password set, to send any Authorization: Basic request header.