Forum Discussion
KUR_304583
Nimbostratus
NimbostratusSSLDUMP "OpenSSL: decryption enabled." meaning..
I was playing with SSLDUMP in our lab-F5. I tried the Below command to capture some SSL Traffic. "SSLDUMP -r /path/xxx.pcap -i (interface) -dn host x.x.x.x". As a Result I got below message,
"ssldump 0.9b3 Copyright (C) 1998-2001 RTFM, Inc. All rights reserved. Compiled with OpenSSL: decryption enabled"
Does this mean, that I have enabled Decryption for the URL? I need to know what does this mean, so that I do not make same mistake on Production. Please help me providing clarification for the message.
natheCirrocumulus
Kur,
You're options don't look correct to me. Have you followed this solution: Overview of Packet Tracking with Ssldump? the -r switch reads a file so you don't need to specify the interface or host. If you want to capture/decrypt live traffic then suggest you take a look at this DC article Troubleshooting TLS Problems With ssldump.
My recommendation is to capture the traffic first with tcpdump and use ssldump offline to read the capture. You can use just the -nr switch (+file) to check record messages, but you'll need to provide a key to decrypt the application traffic.
Hope this helps,
N
- Jer-O
Cirrus
I've found it much more useful to do a tcpdump first, then read the pcap file with ssldump. It also gives you more flexibility to analyze the dump with Wireshark as well as convert it through ssldump.
tcpdump -vvnni 0.0:nnnp -s0 host ip_address -w /shared/tmp/file.pcap
This command captures end-to-end packets that can be traced using the F5 plugin for Wireshark.
This is also included in a script I published today.
Finally (If you have access to the key):
ssldump -Aednr /var/tmp/file.pcap -k /config/filestore/files_d/Common_d/certificate_key_d/:Common:file.key__ > /shared/tmp/file.txt