NimbostratusHello Devcentral,
I want to ask you how I can examine the SSL traffic between the BIG IP and the backend server.
The scenario is the following:
Client 1. <--SSL--> 2. (offloading) BIGIP (new ssl tunnel) 3. <---SSL---> 4. Backend
I need to analyze the traffic in point 3. ( at the moment I'm using the following server ssl profile: ssl-insecure-compatible.
Thanks in advance,
Best regards,
M.
EmployeeYou will need to decrypt the traffic using the key from the backend server. If you move the key from the backend to the bigip you can use ssldump to create the PMS file used in wireshark to analyze the data.
You also need to make sure you get the ssl handshake for the pms process to work so if you have OneConnect configured I would recommend turning it off while testing.
Seth
EmployeeHere's what that ssldump command should look like (once you've imported the server's SSL private key):
ssldump -k [path to server's private key] -AdNn -i 0.0 port 443 and host [IP of server]
As Seth mentioned, you definitely want to turn off OneConnect while testing because ssldump needs to be able to see the original SSL handshake. This command will dump all of the cleartext data to the command line.
On BIG-IP VE TMOS v12.1.2 I tested a different approach:
A "frontend" virtual server terminates SSL by using a client-ssl profile but does not re-encrypt (no server-ssl profile assigned).
Instead the "frontend" virtual server has an iRule (please see below) to forward traffic to a 2nd "internal" virtual server on the same BIG-IP device (no pool assigned):
when CLIENTSSL_HANDSHAKE {
virtual vs_internal
}
The "internal" virtual server will re-encrypt by using a server-ssl profile to the pool of real servers. The tcpdump will target the interface "
0.0:nnn-s 0-w -c 10000tcpdump -i 0.0:nnn -s 0 -c 10000 -w /var/tmp/internal.001.pcap host