Ganesh_Garg
Aug 20, 2016Nimbostratus
SSL passphrase lost
Is there any way to retrieve or decrypt the SSL passphrase from F5 as I lost the passphrase. From the article SOL14912, it seems that the retrieval is not possible.
Is there any way to retrieve or decrypt the SSL passphrase from F5 as I lost the passphrase. From the article SOL14912, it seems that the retrieval is not possible.
I used the HTTP monitor trick described here, it worked perfectly :) The monitor needed to have username as well as password set, to send any Authorization: Basic request header.
;-)
Cheers, Kai
Hi Ganesh,
the passphrase is encrypted using the device master key. As long the master key of your device group hasn't changed or (at least) you've created a backup of the master-key, you will be able to restore entire UCS archives or even partial configurations containing secure strings.
https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9420.html
https://devcentral.f5.com/articles/working-with-masterkeys
With this knowledge in mind, you can also fairly easily decrypt a specific secure-string back to plaintext without even knowing the cryptography behind. Just
tsmh /list
the related configuration, grep the containing $M$
secure-string and create for an example a new HTTP health-monitor containing the exported secure-string as password (via tmsh load sys config merge from-terminal
). Attach the monitor to a node of your choice and then use tcpdump/wireshark to sniff the password (aka. B64 credentials) on the wire...
Cheers, Kai
You helped me a lot too. Thanks!
I would say not possible but I have never explored the options of trying to retrieve it.