Forum Discussion
CirrusUnable to decrypt using SSL::sessionsecret iRules command
Fellas,
I am using this irule:
when CLIENTSSL_HANDSHAKE {
if {[IP::addr [IP::client_addr] equals 172.22.200.178] } {
log local0. "========CLIENT SIDE==================="
log local0. "Client IP: [IP::client_addr]"
log local0. "TCP source port: [TCP::remote_port]"
log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
log local0. "======================================"
log local0. " "
}
}
And the output I get is this:
: ========CLIENT SIDE===================
Dec 30 14:56:15 akm-bigip1 info tmm1[9611]: Rule /Common/SSL-Decrypt : Client IP: 172.22.200.178
Dec 30 14:56:15 akm-bigip1 info tmm1[9611]: Rule /Common/SSL-Decrypt : TCP source port: 57050
Dec 30 14:56:15 akm-bigip1 info tmm1[9611]: Rule /Common/SSL-Decrypt : RSA Session-ID: Master-Key:dccbfb5e3df9205cd6ddb76aba683c2f262dfbacb7b88afdd390e011902c940782d371f1acfb1c5267a1d4cdced5ada9
Why am I not getting the session id here?
Also I have followed the steps to disable cache by setting it to 0 and cipher is only AES+RSA.
What am I missing???
DaveS_377638SSL::sessionid returns the current connection's SSL session ID if it exists in the session cache.
A Cache Size setting of 0 disables SSL session caching for the profile, which means the Session ID will not be cached and the command will return a null string.
Allwyn_MascarenAhh ok but then I need to get the CLIENT_RANDOM from the pcap file and add it with the sessionsecre to create the SSL dump file right?
This is still not decrypting the pcap.
DaveSNimbostratus
I assume you're following the process outlined here:
K16700: Decrypting SSL traffic using the SSL::sessionsecret iRules command
Yes, you'll need to use the CLIENT_RANDOM option with the random byte string as the identifier and sessionsecret string for the master key string.
If there are multiple connections in the packet capture then you will need to look at all the client source ports used so that the Master Secret log file contains multiple lines, each with the random byte string with the matched key string. As noted in the steps, the syntax is important.
If you're still having issues with the decryption then enabling SSL debugging in Wireshark and looking at the output this produces should indicate what's going wrong.
- DaveS_377638
I assume you're following the process outlined here:
K16700: Decrypting SSL traffic using the SSL::sessionsecret iRules command
Yes, you'll need to use the CLIENT_RANDOM option with the random byte string as the identifier and sessionsecret string for the master key string.
If there are multiple connections in the packet capture then you will need to look at all the client source ports used so that the Master Secret log file contains multiple lines, each with the random byte string with the matched key string. As noted in the steps, the syntax is important.
If you're still having issues with the decryption then enabling SSL debugging in Wireshark and looking at the output this produces should indicate what's going wrong.
- DaveS
SSL::sessionid returns the current connection's SSL session ID if it exists in the session cache.
A Cache Size setting of 0 disables SSL session caching for the profile, which means the Session ID will not be cached and the command will return a null string.