Forum Discussion

Allwyn_Mascaren's avatar
Allwyn_Mascaren
Icon for Cirrus rankCirrus
Dec 30, 2018

Unable to decrypt using SSL::sessionsecret iRules command

Fellas, I am using this irule: when CLIENTSSL_HANDSHAKE { if {[IP::addr [IP::client_addr] equals 172.22.200.178] } { log local0. "========CLIENT SIDE===================" log local0. "Clien...
big-ip ltm
LTM
security
DaveS_377638's avatar
DaveS_377638
Icon for Cirrus rankCirrus

SSL::sessionid returns the current connection's SSL session ID if it exists in the session cache.

 

A Cache Size setting of 0 disables SSL session caching for the profile, which means the Session ID will not be cached and the command will return a null string.

 

DaveS's avatar
DaveS
Icon for Nimbostratus rankNimbostratus
Jan 01, 2019

I assume you're following the process outlined here:

 

K16700: Decrypting SSL traffic using the SSL::sessionsecret iRules command

 

Yes, you'll need to use the CLIENT_RANDOM option with the random byte string as the identifier and sessionsecret string for the master key string.

 

If there are multiple connections in the packet capture then you will need to look at all the client source ports used so that the Master Secret log file contains multiple lines, each with the random byte string with the matched key string. As noted in the steps, the syntax is important.

 

If you're still having issues with the decryption then enabling SSL debugging in Wireshark and looking at the output this produces should indicate what's going wrong.