Decrypting tcpdumps in Wireshark without key files (such as when FIPS is in use)
Problem this snippet solves: This procedure allows you to decrypt a tcpdump made on the F5 without requiring access to the key file. Despite multiple F5 pages that claim to document this procedure, none of them worked for me. This solution includes the one working iRule I found, trimmed down to the essentials. The bash command is my own, which generates a file with all the required elements from the LTM log lines generated by the iRule, needed to decrypt the tcpdump in Wireshark 3.x. How to use this snippet: Upgrade Wireshark to Version 3+. Apply this iRule to the virtual server targeted by the tcpdump: rule sessionsecret { when CLIENTSSL_HANDSHAKE { log local0.debug "CLIENT_RANDOM [SSL::clientrandom] [SSL::sessionsecret]" log local0.debug "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]" } when SERVERSSL_HANDSHAKE { log local0.debug "CLIENT_RANDOM [SSL::clientrandom] [SSL::sessionsecret]" log local0.debug "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]" } } Run tcpdump on the F5 using all required hooks to grab both client and server traffic. tcpdump -vvni 0.0:nnnp -s0 host <ip> -w /var/tmp/`date +%F-%H%M`.pcap Conduct tests to reproduce the problem, then stop the tcpdump (Control C)and remove the iRule from the virtual server. Collect the log lines into a file. cat /var/log/ltm | grep -oe "RSA Session.*$" -e "CLIENT_RANDOM.*$" > /var/tmp/pms Copy the .pcap and pms files to the computer running Wireshark 3+. Reference the "pms" file in "Wireshark > Preferences > Protocols > TLS > (Pre)-Master-Secret log filename" (hence the pms file name). Ensure that Wireshark > Analyze > Enabled Protocols > "F5 Ethernet trailer" and "f5ethtrailer" boxes are checked. Open the PCAP file in Wireshark; it will be decrypted. IMPORTANT TIP: Decrypting any large tcpdump brings a workstation to its knees, even to the point of running out of memory. A much better approach is to temporarily move the pms file, open the tcpdump in its default encrypted state, identify the problem areas using filters or F5 TCP conversation and export them to a much smaller file. Then you can move the pms file back to the expected location and decrypt the smaller file quickly and without significant impact on the CPU and memory. Code : Please refer to the "How to use this Code Snippet" section above. This procedure was successfully tested in 12.1.2 with a full-proxy virtual server. Tested this on version: 12.1Moving FIPS keys from 8900 to 10200
Hello, According to DOC, it seems likely FIPS-2 keys sync is not possible between 8900 and 10200 due to FIPS hardware difference (no exact platform mention, but it's close enough): https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-platform-fips-administration.pdf?sr=32944290 Important: Because of hardware differences, it is not possible to synchronize security domains between the newer platforms(10000/11000/11050 platforms) and older platforms (6900/8900platforms). Q: Assuming identical software version and security world configuration - is there an alternate way to move FIPS keys from 8900 to 10200? Regards,
Unable to import SSL Keys in FIPS
Hi F5 Community ! I have to upgrade hadware of a LTM cluster. FIPS is enabled on this platforms. I have activated the FIPS on the new cluster. When i try to import SSL keys on the new BIGIP from the old cluster, every keys in FIPS mode can not be imported on the new appliance. I 'm getting this following message on the GUI and in SSH: Dec 7 12:29:22 Fips-1 err mcpd[7623]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: import_key_file: failed to open key file(s) /config/ssl/ssl.cavfips/.exp, /config/ssl/ssl.cavfips/.exp, /config/ssl/ssl.cavfips/.key.exp. Dec 7 12:29:22 Fips-1 err mcpd[7623]: 01070712:3: Caught configuration exception (0), unable to import key (/Common/****.key) in FIPS card. Did you meet this type of error ? And if yes what is the workaround. Thanks for your help B.
