Forum Discussion
AltocumulusTroubleshooting PFS - BIG-IP Feature Request?
Hello all!
Ever since I heard of PFS I started dreading the day I would need to troubleshoot a PFS flow.
I read some interesting suggestions of how to deal with it. One could make SSL bridging, where the client-side have PFS enabled and the server-side would not have PFS diisabled, sou you could tcpdump the internal traffic.
Another solution involves third party hardware and a lot of prep, which is not feasible if you're a little shop IMHO.
But my question is: Since BIG-IP is sitting right in the middle of the traffic (on flows it's terminating SSL/TLS and not proxying it), wouldn't it be "easy" to dump the traffic in clear text?
This "feature" would be so handy and since BIG-IP is full-proxy it makes sense to me it could do that...
Any thoughts?
Cheers! Rafael
1 Reply
DennisJannNimbostratus
You can capture the SSL session keys with an iRule while running tcpdump on the BIG-IP, and then use the Master Secret log file to view the decrypted tcpdump data in Wireshark.
K16700: Decrypting SSL traffic using the SSL::sessionsecret iRules command
The instructions in the KB article do work for decrypting PFS sessions.
If your HTTPS VIP is running on a non-standard port, you would need to go into Wireshark preferences and add the non-standard HTTPS port in Protocols > HTTP > SSL/TLS Ports.
