on 14-Feb-201808:39 - edited on 05-Jun-202322:04 by JimmyPackets
Problem this snippet solves:
Using Wireshark or other tools to examine SSL traffic requires that the Pre-Master Secret log be extracted from the capture with ssldump, and that the private key be available. However, the syntax for locating the right key file and executing ssldump is clumsy and hard to remember. For example:
ssldump -r test1.pcap -k /config/filestore/files_d/Common_d/certificate_key_d/:Common:www.domain.com-2020.key_149160_2 -M SSL.pms -A -d -n
It doesn't exactly roll trippingly off the keyboard, does it?
Instead, this little script provides a one-line command, and it is installed on all of our Big-IPs along with a lot of other little utilities:
It can be invoked with a single, easy to remember line:
Decrypt.sh test1.pcap www.domain.com-2020
The output defaults to SSL.pms, which gets copied to your workstation along with the .pcap file. If you keep using the same name, it can be set once in Wireshark and doesn't have to be reconfigured for every capture. If it doesn't match the current capture, it's as if it wasn't there.
Don't forget to use a cipher string of 'NONE:AES128-SHA' and a Cache Size of 0 in your profile during the capture to insure that ssldump can find the PMS log. You could create a test CSSL profile such as 'cssl_Debug' to avoid having to remember.