Forum Discussion
ssldump not working for client side decrypt (tried everything)
- Apr 17, 2017
I manged to get this working with F5 support via an alternative approach which doesn't require dumbing down the ciphers like ssldump does. Working with support they came up with an alternative approach which seems to be more reliable than ssldump
-
Disable all the ciphers which cannot be decrypted. On the F5 Goto the client SSL profile and in the ciphers box place defaut:!EXPORT:!DHE:!ECDHE This shouldn’t really effect anything for production traffic flowing through the appliances. Will only be applied on new connections and this should still leave plenty of ciphers available for most older browsers
-
Create the following irule and apply to VIP (shouldn’t cause any issues doing this during production hours as it’s based on very specific sources. Watch the formatting as any extra carriage returns will cause this irule to fail to be saved and applied in the GUI). The below example captures all Microsoft Exchange Online traffic (these subnets change so always check https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2bkmk_exo) for the latest:
` when CLIENTSSL_HANDSHAKE {
if {( [IP::addr [IP::client_addr]/31 equals 13.107.6.152]) or ([IP::addr [IP::client_addr]/31 equals 13.107.9.152]) or ([IP::addr [IP::client_addr]/31 equals "13.107.19.10"]) or ([IP::addr [IP::client_addr]/20 equals "23.103.160.0"]) or ([IP::addr [IP::client_addr]/19 equals "23.103.224.0"]) or ([IP::addr [IP::client_addr]/13 equals "40.96.0.0"]) or ([IP::addr [IP::client_addr]/15 equals "40.104.0.0"]) or ([IP::addr [IP::client_addr]/25 equals "70.37.151.128"]) or ([IP::addr [IP::client_addr]/21 equals "111.221.112.0"]) or ([IP::addr [IP::client_addr]/32 equals "131.253.33.215"]) or ([IP::addr [IP::client_addr]/16 equals "132.245.0.0"]) or ([IP::addr [IP::client_addr]/23 equals "134.170.68.0"]) or ([IP::addr [IP::client_addr]/28 equals "157.56.96.16"]) or ([IP::addr [IP::client_addr]/28 equals "157.56.96.224"]) or ([IP::addr [IP::client_addr]/28 equals "157.56.106.128"]) or ([IP::addr [IP::client_addr]/21 equals "157.56.232.0"]) or ([IP::addr [IP::client_addr]/20 equals "157.56.240.0"]) or ([IP::addr [IP::client_addr]/19 equals "191.232.96.0"]) or ([IP::addr [IP::client_addr]/32 equals "191.234.6.152"]) or ([IP::addr [IP::client_addr]/22 equals "191.234.140.0"]) or ([IP::addr [IP::client_addr]/22 equals "191.234.224.0"]) or ([IP::addr [IP::client_addr]/32 equals "204.79.197.215"]) or ([IP::addr [IP::client_addr]/19 equals "206.191.224.0"]) or ([IP::addr [IP::client_addr]/25 equals "207.46.150.128"]) or ([IP::addr [IP::client_addr]/26 equals "207.46.203.128"]) } {
log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
}
}
tail -f /var/log/ltm | grep Exchange-2013-._2007_ssl_dump2`’ and dump the output into a text file. Strip out everything before the ‘RSA Session-ID:4.Run a tail on the new log file searching for the name of the irule you created
- On the client side use wireshark to capture on the client interface side and filter on source IP address. Example below to capture all Exchange online subnets:
tcpdump -s 0 -vvv -nni VLAN_PUBLIC-DMZ -w /shared/tmp/outside-5.cap "net 13.107.6.152/31 or net 13.107.9.152/31 or net 13.107.18.10/31 or net 13.107.19.10/31 or net 23.103.160.0/20 or net 23.103.224.0/19 or net 40.96.0.0/13 or net 40.104.0.0/15 or net 70.37.151.128/25 or net 111.221.112.0/21 or net 131.253.33.215/32 or net 132.245.0.0/16 or net 134.170.68.0/23 or net 157.56.96.16/28 or net 157.56.96.224/28 or net 157.56.106.128/28 or net 157.56.232.0/21 or net 157.56.240.0/20 or net 191.232.96.0/19 or net 191.234.6.152/32 or net 191.234.140.0/22 or net 191.234.224.0/22 or net 204.79.197.215/32 or net 206.191.224.0/19 or net 207.46.150.128/25 or net 207.46.203.128/26"
- Once captured get the capture off the appliances via winscp7.Open wireshark and goto Edit, Preferences, Protocol, SSL, under (Pre)-Master-Secret log file name select the text file taken at step
- Click ok and open your capture. You should now be able to see application data packets raw http data.
Based on this discovery i wouldn't bother ssldump in the future.
-
There are a couple of things you can do:
-
Make sure you specifiy "-s0" when running tcpdump;
-
Change your cipher to "NONE:AES128-SHA" in your client SSL profile for your testing activity;
-
Use the following ssldump syntax:
ssldump -nr /shared/tmp/outside-1.cap -d -k /config/filestore/files_d/Common_d/certificate_key_d/:Common:x.x.x.x.key_58302_1
.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com