Ganesh_Garg
Aug 20, 2016Nimbostratus
SSL passphrase lost
Is there any way to retrieve or decrypt the SSL passphrase from F5 as I lost the passphrase. From the article SOL14912, it seems that the retrieval is not possible.
Is there any way to retrieve or decrypt the SSL passphrase from F5 as I lost the passphrase. From the article SOL14912, it seems that the retrieval is not possible.
Hi Ganesh,
the passphrase is encrypted using the device master key. As long the master key of your device group hasn't changed or (at least) you've created a backup of the master-key, you will be able to restore entire UCS archives or even partial configurations containing secure strings.
https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9420.html
https://devcentral.f5.com/articles/working-with-masterkeys
With this knowledge in mind, you can also fairly easily decrypt a specific secure-string back to plaintext without even knowing the cryptography behind. Just
tsmh /list
the related configuration, grep the containing $M$
secure-string and create for an example a new HTTP health-monitor containing the exported secure-string as password (via tmsh load sys config merge from-terminal
). Attach the monitor to a node of your choice and then use tcpdump/wireshark to sniff the password (aka. B64 credentials) on the wire...
Cheers, Kai
You helped me a lot too. Thanks!
I would say not possible but I have never explored the options of trying to retrieve it.
I used the HTTP monitor trick described here, it worked perfectly :) The monitor needed to have username as well as password set, to send any Authorization: Basic request header.
;-)
Cheers, Kai