cancel
Showing results for 
Search instead for 
Did you mean: 

Decrypting SSL traffic - PMS and egress

Bartek
Cirrus
Cirrus

Hi - two questions combined.

Background - trying to catch and decipher tcpdump both for Client -> VIP and F5-> Pool Members traffic 

I'm following this tutorial: Decrypt with tcpdump --f5 ssl

I managed to catch the frontend traffic, but I'm struggling with creating the PMS key. I want to automate it using the provided wireshark cmd command, but I get the error:

C:\Program Files\Wireshark: invalid option -- 'T'
C:\Program Files\Wireshark: invalid option -- 'e'

I'm using Wireshark 3.4.8 - what would be the equivalent options for my version? Unfortunately using a Linux in this environment is out of the question. I can only work on Windows stepping stone and can't send the captures to my PC

Second issue:

Catching the backend traffic does not produce the F5 TLS in the pcap capture... The server ssl profile is present, but I have no idea how to force the --f5 ssl option in tcpdump to catch the keys. 

Will appreciate any advice - It is my second day struggling with the issue

7 REPLIES 7

CA_Valli
Cumulonimbus
Cumulonimbus

Hello, I usually use an iRule to log and collect secrets which I'm attaching. This saves info in plain text in LTM file, eventually you can force log rotation and manually bulk-delete all lines from this iRule in "ltm.1" file when you're done.

To retrieve info and create pms file, run this from bash shell. 

 

sed -e 's/^.*\(RSA Session-ID\)/\1/;tx;d;:x' /var/log/ltm > /var/tmp/sessionsecrets.pms
grep -h -o 'CLIENT_RANDOM.*' /var/log/ltm >> /var/tmp/sessionsecrets.pms

 

 To import PMS file in wireshark, 

Edit -> Preferences -> Protocols -> SSL => (Pre)-Master Secret log filename [Browse]

Juergen_Mang
Cirrus
Cirrus

You must use tshark NOT wireshark to Automate Pre Master Secret File Creation.

This solution and the solution from CA_Valli does NOT work for TLS 1.3

To capture backend traffic also you must use the "-i 0.0:nnnp" option for tcpdump.

But it is possible to decrypt TLS 1.3 also, you must extract following fields from the dump:

  • CLIENT_EARLY_TRAFFIC_SECRET
  • CLIENT_HANDSHAKE_TRAFFIC_SECRET
  • SERVER_HANDSHAKE_TRAFFIC_SECRET
  • CLIENT_TRAFFIC_SECRET_0
  • SERVER_TRAFFIC_SECRET_0

In my tests tshark fails to dump this correctly. My old plan is to create a GitHub repo to upload my script that extracts all pre master secrets for all tls versions.

You can decrypt TLS1.3 with iRule method but you have to use the correct iRule as here: https://clouddocs.f5.com/training/community/adc/html/class4/module1/lab12.html#decrypt-ssl-with-irul....  

 

David_Larsen
F5 Employee
F5 Employee

You have to use the command line tshark.exe.  The other gotcha here is that with Wireshark running you have to have the F5 protocols enabled under Analyze, Enabled Protocols - search for F5 and make sure all the F5 protocols are enabled, otherwise the filters in that commandline will not work properly.  Once you enable the protocols in Wireshark GUI then the tshark.exe commandline has them enabled as well.

Juergen_Mang
Cirrus
Cirrus

I have now uploaded my sycript to generate the pms file out of the tcpdump file with enabled sslprovider. This script works for all TLS versions and decrypts clientside and serverside traffic. 

I use this script in my daily job and I hope it could help other people also!

https://github.com/JuergenMang/f5-tls-decrypt

Leslie_Hubertus
Community Manager
Community Manager

@Bartek  - lots of answers here - did any of them get you where you needed to go? If yes, please make sure to mark it as an Accepted Solution so other users with your issue can quickly find help and the author gets credit. 🙂