Capturing Pre-Master Secret (Symmetric key) using ssldump utility
Hello all,
I have been testing the ssldump utility to try and decrypt TLS traffic on the server-side but I cannot get the ssldump utility to capture the RSA Session Keys and output them to a .pms file as per https://support.f5.com/csp/article/K10209
I can successfully capture the PMS when I perform the same function on the Client-side (where the F5 is the Server) but not on the Server-side (where the F5 is the Client).
I can capture the PMS using an iRule on the Server-side and then use this to decrypt the server-side TLS but I want to be able to do this without an iRule as per the SOL doc.
I have tuned the Server-side SSL Profile to not use existing TLS sessions to ensure a new Session Key is negotiated each time, and I also use an Incognito browser to make double sure this is the case. I have also forced the ServerSSL Profile to use only non-ECDHE ciphers as I know ssldump cannot decrypt these.
The ssldump utility runs without error but the PMS file is always blank for server-side sessions
I am starting to think this may be a limitation of the ssldump utility i.e. not able to derive the symmetric key when the F5 is the Client!
Any help would be greatly appreciated
Cheers,
David
tcpdump to capture the server-side traffic
tcpdump -i vlan_100_internal -vvv -nnn host 10.0.100.9 and host 10.0.100.41 -s0 -w /var/tmp/server_ssl_3.cap (where .9 is F5 SNAT and .41 is WebServer)
ssldump referencing the tcpdump
ssldump -r /var/tmp/server_ssl_3.cap -k /config/filestore/files_d/Common_d/certificate_key_d/\:Common:my_serversidessl.key_80077_1 -M /var/tmp/server_ssl_3.pms