Forum Discussion

canttalkeating's avatar
canttalkeating
Icon for Altocumulus rankAltocumulus
Sep 07, 2019

Capturing Pre-Master Secret (Symmetric key) using ssldump utility

Hello all,

 

I have been testing the ssldump utility to try and decrypt TLS traffic on the server-side but I cannot get the ssldump utility to capture the RSA Session Keys and output them to a .pms file as per https://support.f5.com/csp/article/K10209

 

I can successfully capture the PMS when I perform the same function on the Client-side (where the F5 is the Server) but not on the Server-side (where the F5 is the Client).

 

I can capture the PMS using an iRule on the Server-side and then use this to decrypt the server-side TLS but I want to be able to do this without an iRule as per the SOL doc.

 

I have tuned the Server-side SSL Profile to not use existing TLS sessions to ensure a new Session Key is negotiated each time, and I also use an Incognito browser to make double sure this is the case. I have also forced the ServerSSL Profile to use only non-ECDHE ciphers as I know ssldump cannot decrypt these.

 

The ssldump utility runs without error but the PMS file is always blank for server-side sessions

 

I am starting to think this may be a limitation of the ssldump utility i.e. not able to derive the symmetric key when the F5 is the Client!

 

Any help would be greatly appreciated

 

 

Cheers,

 

David

 

tcpdump to capture the server-side traffic

tcpdump -i vlan_100_internal -vvv -nnn host 10.0.100.9 and host 10.0.100.41 -s0 -w /var/tmp/server_ssl_3.cap (where .9 is F5 SNAT and .41 is WebServer)

 

ssldump referencing the tcpdump

ssldump -r /var/tmp/server_ssl_3.cap -k /config/filestore/files_d/Common_d/certificate_key_d/\:Common:my_serversidessl.key_80077_1 -M /var/tmp/server_ssl_3.pms

 

4 Replies

  • Hello.

    Have you checked that the server hello message ciphersuite has selected with a RSA exchange?

    cipherSuite TLS_RSA_WITH_... 

    ​Remember this:

    "Depending on the cipher negotiated, the ssldump utility may not be able to derive enough information from the SSL handshake and the server’s private key to decrypt the application data. Examples of such SSL ciphers would be the Diffie-Hellman Ephemeral (DHE) cipher suites and export-grade RSA cipher suites"

    REF - https://support.f5.com/csp/article/K10209

    ​BTW, In my case I don't use ssldump to get the pms anymore. I use this now -> https://support.f5.com/csp/article/K12783074

    KR,

    Dario.

  • Hi Dario,

     

    Thanks for the reply.

     

    I had forced the Server-side connection to use a cipher that ssldump can understand:

     

    BIG-IP to Web Server

    New TCP connection #1: 10.0.100.9(34913) <-> 10.0.100.41(443)

    1 1 0.0010 (0.0010) C>S Handshake

       ClientHello

        Version 3.3

        cipher suites

         TLS_RSA_WITH_AES_128_GCM_SHA256

         TLS_EMPTY_RENEGOTIATION_INFO_SCSV

        compression methods

             NULL

     

    Web Server to BIG-IP

    1 2 0.0021 (0.0010) S>C Handshake

       ServerHello

        Version 3.3

        session_id[32]=

         de a8 c1 05 4f 25 f0 fc 5d ee 9c b1 d1 8c 20 63

         4e 97 3a c7 f4 5d 4a 91 f0 db 4b 57 57 65 d2 e6

        cipherSuite     TLS_RSA_WITH_AES_128_GCM_SHA256

        compressionMethod          NULL

        extensions

         renegotiation_info

     

    In production I also use the iRule to gather the RSA Session ID too which works fine on the server-side I just wanted to know if applying an iRule wasn't an option if this could be done with the SSLDump Utility

     

    Cheers,

     

    David

    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for MVP rankMVP

      Hello.

       

      Could you check if your ServerKeyExchange message is has a "not negotiated" value?

       

      BTW, I recommend you this link to see interesting tips about ssldump

      REF - https://packetpushers.net/using-ssldump-decode-ssltls-packets/

       

      KR,

      Dario.

  • Hi Dario,

     

    There isn't a ServerKeyExchange in this flow only a ClientKeyExchange. The only time a ServerKeyExchange would be sent from the back-end server would be if we were using Diffie-Helman ciphers which allows the Client instigating the connection to obtain more information from the Server in order to derive a PreMaster Secret (symmetric key).

     

    Thanks for link, i'll give it a good read over

     

    Cheers,

     

    David