Resumed SSL session and decryption
Hi, I tried to figure out if there is a way to decrypt resumed SSL session in Wireshark if first session with full SSL handshake (including pre-master key exchange) is not captured. Seems that it's not possible even when pre-master secret was captured via ssldump. But maybe I am doing something wrong? Scenario: tcpdump used to capture first session with full SSL Handshake ssldump used to extract pre-maset secret to the file Wireshark is capturing traffic including first session - everything is encrypted pre-master secret file configured in Wireshark - traffic decrypted, including following resumed sessions (same is true when private key is configured in Wireshark) New capture in Wireshark performed Client and server are still resuming SSL session (same SessionID reported in ClientHello) - no traffic decrypted. Is above correct? I assumed that when original pre-master secret is know to Wireshark it can generate master key and use it for resumed sessions even without seeing original full SSL Handshake. Am I missing something here? Is that just limitation of Wireshark or it is not technically possible at all to decrypt resumed session knowing original pre-master key. Sure I am talking about RSA non ephemeral cipher suites, in this case Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Piotr
SSL Orchestrator between client and explicit HTTP proxy
Hi Devcentral, I am testing SSL orchestrator with Inline mode (L2 / Trasparent) in order to inspect cleartext web browsing traffic using an IPS device, the scenario is the following: Client that points directly to F5 as a gateway Client have explicit HTTP forward proxy configured on the browser (Mozilla) for HTTP & HTTPS traffic SSLO is placed inline with SNAT Automap that points to router connected to the Internet I did a packet capture and I saw that the SSL handshake occurs between the client and the HTTP/HTTPS Forward proxy (tiny proxy) - using HTTP Connect / Proxy-Connect method but the SSL decryption will not occur if the HTTP Forward proxy is configured on the client. (I am testing this because one of our customer would like to implement SSL Orchestrator but actually the customer have explicit HTTP proxy configured in order to provide web reputation filtering to the clients) The architecture flow is the following (starting from the source): Client F5 SSL Orchestrator HTTP/HTTPS Forward Proxy (tinyproxy) Internet I'll expect to see that the traffic is decrypted correctly also using the HTTP forward proxy in place. (actually it works for outbound decryption but without the HTTP forward proxy --> point 3.)
Resumed SSL session and decryption
Hi, I tried to figure out if there is a way to decrypt resumed SSL session in Wireshark if first session with full SSL handshake (including pre-master key exchange) is not captured. Seems that it's not possible even when pre-master secret was captured via ssldump. But maybe I am doing something wrong? Scenario: tcpdump used to capture first session with full SSL Handshake ssldump used to extract pre-maset secret to the file Wireshark is capturing traffic including first session - everything is encrypted pre-master secret file configured in Wireshark - traffic decrypted, including following resumed sessions (same is true when private key is configured in Wireshark) New capture in Wireshark performed Client and server are still resuming SSL session (same SessionID reported in ClientHello) - no traffic decrypted. Is above correct? I assumed that when original pre-master secret is know to Wireshark it can generate master key and use it for resumed sessions even without seeing original full SSL Handshake. Am I missing something here? Is that just limitation of Wireshark or it is not technically possible at all to decrypt resumed session knowing original pre-master key. Sure I am talking about RSA non ephemeral cipher suites, in this case Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Piotr
Client Certificate and Mutual TLS
I'm trying to understand whether or not the BIG-IP can handle mutual auth. To be specific, I'm not interested in SSL offload, etc. I'd like for the BIG-IP to create back-to-back SSL sessions. The BIG-IP client side would use a CA-trusted cert. Can such a thing be configured? Can the BIG-IP client-ssl profile function as a full SSL client? As I understand it, this would be required in order for the Handshake Protocol: Certificate Verify messages to be accepted through the duration of the SSL session setup. Thanks in advance!