Shortcut script to easily extract the Pre-Master Secret from a capture with ssldump
Problem this snippet solves:
Using Wireshark or other tools to examine SSL traffic requires that the Pre-Master Secret log be extracted from the capture with ssldump, and that the private key be available. However, the syntax for locating the right key file and executing ssldump is clumsy and hard to remember. For example:
ssldump -r test1.pcap -k /config/filestore/files_d/Common_d/certificate_key_d/:Common:www.domain.com-2020.key_149160_2 -M SSL.pms -A -d -n
It doesn't exactly roll trippingly off the keyboard, does it?
Instead, this little script provides a one-line command, and it is installed on all of our Big-IPs along with a lot of other little utilities:
#! /bin/bash # # Decrypt.sh $CaptureFile $CertName [$PMSFile] # CaptureFile=$1 CertName=$2 PMSFile=$3 KeyFile=$(ls /config/filestore/files_d/Common_d/certificate_key_d/:Common:$CertName.key_* ) ssldump -r $CaptureFile -k $KeyFile -M $PMSFile -A -d -n
Note that it is the BASE FILENAME of the key, such as www.domain.com-2020, not the cert/key name that must be specified. The script finds the actual filename in the file store, such as:
/config/filestore/files_d/Common_d/certificate_key_d/ :Common:www.domain.com.key_149160_2
How to use this snippet:
It can be invoked with a single, easy to remember line:
Decrypt.sh test1.pcap www.domain.com-2020
The output defaults to SSL.pms, which gets copied to your workstation along with the .pcap file. If you keep using the same name, it can be set once in Wireshark and doesn't have to be reconfigured for every capture. If it doesn't match the current capture, it's as if it wasn't there.
Don't forget to use a cipher string of 'NONE:AES128-SHA' and a Cache Size of 0 in your profile during the capture to insure that ssldump can find the PMS log. You could create a test CSSL profile such as 'cssl_Debug' to avoid having to remember.
Cheers,
Stan
Code :
85603