Forum Discussion

Altostratus

Feb 05, 2026

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

When I enable the sslprovider and start a tcpdump on the server-side in order to decode TLSv1.3 traffic, only the CLIENT_HANDSHAKE_TRAFFIC_SECRET and SERVER_HANDSHAKE_TRAFFIC_SECRET 'keys' are stored...

application delivery

security

momahdy

Employee

Feb 06, 2026

Hi Frank_ten_Wolde
You may want to check this KB

https://my.f5.com/manage/s/article/K36120659

Frank_ten_Wolde
Altostratus
Feb 09, 2026
Hi Momahdy,
Thanks for pointing me to this KB article. I am aware of the 'iRule-way' to get the PMS data.
The observed sslprovider behaviour (missing CLIENT_TRAFFIC_SECRET_0 and SERVER_TRAFFIC_SECRET_0 data) sort of defies the purpose of it, doesn't it?
Should I report a bug with F5 TAC, or is this a known issue already?
- momahdy
  Employee
  Feb 09, 2026
  Hi Frank_ten_Wolde
  Got what you mean, I don't see published IDs on this one, If you may try couple of items and reach to TAC if the same behavior continues,
  
  - Make sure to include the p option,
  tcpdump -i <server-side-VLAN>:nnnp -s0 -f5 ssl:v -vvv -w /var/tmp/output.cap