ssldump
7 Topicsssldump not working for client side decrypt (tried everything)
I have a good capture from a fresh session (confirmed there is no resume flag from client) Using Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) which i believe is able to be decrypted with ssldump When i use the following command to dump the pms log file it is always generated blank: ssldump -r /shared/tmp/outside-1.cap -k /config/filestore/files_d/Common_d/certificate_key_d/\:Common\:x.x.x.x.key_58302_1 -M /shared/tmp/outside-1.pms I've also tried running the above command as follows to remove the escape characters i.e.: ssldump -r /shared/tmp/outside-1.cap -k /config/filestore/files_d/Common_d/certificate_key_d/:Common:x.x.x.x.key_58302_1 -M /shared/tmp/outside-1.pms I also tried to use ssldump in real time to capture live traffic to the screen and received no output Are there any debug flags i can use with ssldump to get some more data ? It appears to me that ssldump just doens't like the certificate i'm using. Any idea's if there is anything i need to check in regards to the certificate (its definitely the same certificate i'm presented when i connect in the browser) Unfortunately this is a web application as client to web server scenario so i have no way of just pulling the keys from the browser window on the client. I need to get this happening on the F5. ThanksSolved1.2KViews0likes2CommentsSSLDUMP "OpenSSL: decryption enabled." meaning..
I was playing with SSLDUMP in our lab-F5. I tried the Below command to capture some SSL Traffic. "SSLDUMP -r /path/xxx.pcap -i (interface) -dn host x.x.x.x". As a Result I got below message, "ssldump 0.9b3 Copyright (C) 1998-2001 RTFM, Inc. All rights reserved. Compiled with OpenSSL: decryption enabled" Does this mean, that I have enabled Decryption for the URL? I need to know what does this mean, so that I do not make same mistake on Production. Please help me providing clarification for the message.699Views0likes2CommentsWireshark not displaying application data for tcpdump using ssldump
Hello everyone I have been testing SSLdump and I have ran into what seems to be a Wireshark problem but I'm not sure. I have added a custom Client SSL Profile to exclude Diffie-Hellman algorithms using the following Cipher Option: NATIVE:!DH:!EDH:!DHE:!ADH:!ECDHE I have also adjusted the Cache Size to 0 sessions and Cache Timeout to 1 seconds so that we do not cache anything. During the SSL Handshake we select the TLS_RSA_WITH_AES_256_CBC_SHA256 and when running the SSLdump command I get entries in the PMS log AND I can see decrypted data. When I launch Wireshark and check the tcpdump + load the PMS I do not see any difference at all. When I check the follow SSL Stream I can see the decrypted data that I saw in the SSLdump. But the thing is I want to see the packets in the packet list so I can follow the SYN/ACK packets with the GET requests. But I do not see any GET requests at all. I noticed that when I have not added the PMS key I do not have any packet that states "Application Data" and I believe here is the problem. Here is how it looks when reviewing an F5 technician doing it: No PMS: With PMS: Here is how my output looks (No PMS): The output I can see in my ssldump is this: 1 10 1476792858.7953 (0.0006) C>SV3.3(336) application_data --------------------------------------------------------------- GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: sv-SE User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: [Hidden] Connection: Keep-Alive Cache-Control: no-cache So there are application data but Wireshark does not want to display it in the Packet List. I'm currently running: * Wireshark - Version 1.12.5 (v1.12.5-0-g5819e5b from master-1.12) * F5: 12.1.0 Build: 0.0.1434 I'm running the exact same tcpdump command as the F5 engineer. You guys got any idea on how to display the packets in the Packet List?524Views0likes2CommentsUnable to generate PMS Key to decrypt SSL Traffic in Wireshark.
Hello Folks, Recently I was troubleshooting an issue, where SSL Offloading was configured on F5. I wanted to wrap off the TLS in order to analyze HTTP traffic. While generate the PMS key, I found following error on F5 CLI. Problem loading private key ERROR: Couldn't create network handler Customer has 2 pair of F5 appliances, and both are showing the same error message while generating PMS. Any clue? Cheers! Darshan443Views0likes3CommentsIssues with Proxy SSL
I have an Active Sync application where we are using the Proxy SSL on an ASM in order to pass client certificate authentication. We have started noticing that when sending messages with attachments bigger than roughly 2.5mb get an error that they are not sent. When tracing the connection and running it through ssldump I see the data packets start flowing from the client to the VIP on the ASM and then mid stream on the data connection I start seeing this in the SSLdump. Those messages go on for a few seconds until the server side closes the connection. There is no block in ASM and nothing in the LTM logs either. I check the ciphers and protocols supported on the server and they are all supported by the ASM. When I remove the ASM and let client talk directly to the server the issue clears up. Has anyone seen this before any thought would be helpful. I am running 11.4.1 HF7 in prod and I did try running it through a 11.5.2 HF1 build I have in my lab and the same issue occurs. 9 111 3.2153 (0.0009) C>SShort record Unknown SSL content type 1 9 112 3.2184 (0.0030) C>SShort record Unknown SSL content type 35 9 113 3.2202 (0.0018) C>SShort record Unknown SSL content type 241 9 114 3.2225 (0.0023) C>SShort record Unknown SSL content type 15 9 115 3.2243 (0.0018) C>SShort record Unknown SSL content type 242 9 116 3.2272 (0.0028) C>SShort record Unknown SSL content type 48 9 117 3.2290 (0.0017) C>SShort record Unknown SSL content type 0 9 118 3.2314 (0.0024) C>SShort record Unknown SSL content type 176 9 119 3.2338 (0.0023) C>SShort record Unknown SSL content type 197 9 120 3.2985 (0.0647) C>SShort record Unknown SSL content type 174 9 121 3.3009 (0.0023) C>SShort record Unknown SSL content type 230 9 122 3.3044 (0.0035) C>SShort record 9 123 3.4143 (0.1099) C>SV90.118(44194) bad MAC Unknown SSL content type 37259Views0likes1Comment