Altocumulusssldump not working for client side decrypt (tried everything)
I have a good capture from a fresh session (confirmed there is no resume flag from client)
Using Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) which i believe is able to be decrypted with ssldump
When i use the following command to dump the pms log file it is always generated blank:
ssldump -r /shared/tmp/outside-1.cap -k /config/filestore/files_d/Common_d/certificate_key_d/\:Common\:x.x.x.x.key_58302_1 -M /shared/tmp/outside-1.pmsI've also tried running the above command as follows to remove the escape characters i.e.:
ssldump -r /shared/tmp/outside-1.cap -k /config/filestore/files_d/Common_d/certificate_key_d/:Common:x.x.x.x.key_58302_1 -M /shared/tmp/outside-1.pmsI also tried to use ssldump in real time to capture live traffic to the screen and received no output
- Are there any debug flags i can use with ssldump to get some more data ?
- It appears to me that ssldump just doens't like the certificate i'm using. Any idea's if there is anything i need to check in regards to the certificate (its definitely the same certificate i'm presented when i connect in the browser)
Unfortunately this is a web application as client to web server scenario so i have no way of just pulling the keys from the browser window on the client. I need to get this happening on the F5.
Thanks
I manged to get this working with F5 support via an alternative approach which doesn't require dumbing down the ciphers like ssldump does. Working with support they came up with an alternative approach which seems to be more reliable than ssldump
-
Disable all the ciphers which cannot be decrypted. On the F5 Goto the client SSL profile and in the ciphers box place defaut:!EXPORT:!DHE:!ECDHE This shouldn’t really effect anything for production traffic flowing through the appliances. Will only be applied on new connections and this should still leave plenty of ciphers available for most older browsers
-
Create the following irule and apply to VIP (shouldn’t cause any issues doing this during production hours as it’s based on very specific sources. Watch the formatting as any extra carriage returns will cause this irule to fail to be saved and applied in the GUI). The below example captures all Microsoft Exchange Online traffic (these subnets change so always check https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2bkmk_exo) for the latest:
` when CLIENTSSL_HANDSHAKE {
if {( [IP::addr [IP::client_addr]/31 equals 13.107.6.152]) or ([IP::addr [IP::client_addr]/31 equals 13.107.9.152]) or ([IP::addr [IP::client_addr]/31 equals "13.107.19.10"]) or ([IP::addr [IP::client_addr]/20 equals "23.103.160.0"]) or ([IP::addr [IP::client_addr]/19 equals "23.103.224.0"]) or ([IP::addr [IP::client_addr]/13 equals "40.96.0.0"]) or ([IP::addr [IP::client_addr]/15 equals "40.104.0.0"]) or ([IP::addr [IP::client_addr]/25 equals "70.37.151.128"]) or ([IP::addr [IP::client_addr]/21 equals "111.221.112.0"]) or ([IP::addr [IP::client_addr]/32 equals "131.253.33.215"]) or ([IP::addr [IP::client_addr]/16 equals "132.245.0.0"]) or ([IP::addr [IP::client_addr]/23 equals "134.170.68.0"]) or ([IP::addr [IP::client_addr]/28 equals "157.56.96.16"]) or ([IP::addr [IP::client_addr]/28 equals "157.56.96.224"]) or ([IP::addr [IP::client_addr]/28 equals "157.56.106.128"]) or ([IP::addr [IP::client_addr]/21 equals "157.56.232.0"]) or ([IP::addr [IP::client_addr]/20 equals "157.56.240.0"]) or ([IP::addr [IP::client_addr]/19 equals "191.232.96.0"]) or ([IP::addr [IP::client_addr]/32 equals "191.234.6.152"]) or ([IP::addr [IP::client_addr]/22 equals "191.234.140.0"]) or ([IP::addr [IP::client_addr]/22 equals "191.234.224.0"]) or ([IP::addr [IP::client_addr]/32 equals "204.79.197.215"]) or ([IP::addr [IP::client_addr]/19 equals "206.191.224.0"]) or ([IP::addr [IP::client_addr]/25 equals "207.46.150.128"]) or ([IP::addr [IP::client_addr]/26 equals "207.46.203.128"]) } {
log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"}
}
tail -f /var/log/ltm | grep Exchange-2013-._2007_ssl_dump2`’ and dump the output into a text file. Strip out everything before the ‘RSA Session-ID:4.Run a tail on the new log file searching for the name of the irule you created- On the client side use wireshark to capture on the client interface side and filter on source IP address. Example below to capture all Exchange online subnets:
tcpdump -s 0 -vvv -nni VLAN_PUBLIC-DMZ -w /shared/tmp/outside-5.cap "net 13.107.6.152/31 or net 13.107.9.152/31 or net 13.107.18.10/31 or net 13.107.19.10/31 or net 23.103.160.0/20 or net 23.103.224.0/19 or net 40.96.0.0/13 or net 40.104.0.0/15 or net 70.37.151.128/25 or net 111.221.112.0/21 or net 131.253.33.215/32 or net 132.245.0.0/16 or net 134.170.68.0/23 or net 157.56.96.16/28 or net 157.56.96.224/28 or net 157.56.106.128/28 or net 157.56.232.0/21 or net 157.56.240.0/20 or net 191.232.96.0/19 or net 191.234.6.152/32 or net 191.234.140.0/22 or net 191.234.224.0/22 or net 204.79.197.215/32 or net 206.191.224.0/19 or net 207.46.150.128/25 or net 207.46.203.128/26"- Once captured get the capture off the appliances via winscp7.Open wireshark and goto Edit, Preferences, Protocol, SSL, under (Pre)-Master-Secret log file name select the text file taken at step
- Click ok and open your capture. You should now be able to see application data packets raw http data.
Based on this discovery i wouldn't bother ssldump in the future.
-
