Unable to decrypt using SSL::sessionsecret iRules command

Question

Fellas,
I am using this irule:
when CLIENTSSL_HANDSHAKE {
if {[IP::addr [IP::client_addr] equals 172.22.200.178] } {
   log local0. "========CLIENT SIDE==================="
   log local0. "Client IP: [IP::client_addr]"
   log local0. "TCP source port: [TCP::remote_port]"
   log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
   log local0. "======================================"
   log local0. " "
}
}

And the output I get is this:
: ========CLIENT SIDE===================
Dec 30 14:56:15 akm-bigip1 info tmm1[9611]: Rule /Common/SSL-Decrypt : Client IP: 172.22.200.178
Dec 30 14:56:15 akm-bigip1 info tmm1[9611]: Rule /Common/SSL-Decrypt : TCP source port: 57050
Dec 30 14:56:15 akm-bigip1 info tmm1[9611]: Rule /Common/SSL-Decrypt : RSA Session-ID: Master-Key:dccbfb5e3df9205cd6ddb76aba683c2f262dfbacb7b88afdd390e011902c940782d371f1acfb1c5267a1d4cdced5ada9

Why am I not getting the session id here?
Also I have followed the steps to disable cache by setting it to 0 and cipher is only AES+RSA.
What am I missing???

daves_377638 · Answer

SSL::sessionid returns the current connection's SSL session ID if it exists in the session cache.&nbsp;
A Cache Size setting of 0 disables SSL session caching for the profile, which means the Session ID will not be cached and the command will return a null string.&nbsp;

daves · Answer

SSL::sessionid returns the current connection's SSL session ID if it exists in the session cache.&nbsp;
A Cache Size setting of 0 disables SSL session caching for the profile, which means the Session ID will not be cached and the command will return a null string.&nbsp;

allwyn_mascaren · Answer

Ahh ok but then I need to get the CLIENT_RANDOM from the pcap file and add it with the sessionsecre to create the SSL dump file right?&nbsp;
This is still not decrypting the pcap.&nbsp;

daves · Answer

I assume you're following the process outlined here:&nbsp;
K16700: Decrypting SSL traffic using the SSL::sessionsecret iRules command&nbsp;
Yes, you'll need to use the CLIENT_RANDOM option with the random byte string as the identifier and sessionsecret string for the master key string.&nbsp;
If there are multiple connections in the packet capture then you will need to look at all the client source ports used so that the Master Secret log file contains multiple lines, each with the random byte string with the matched key string. As noted in the steps, the syntax is important.&nbsp;
If you're still having issues with the decryption then enabling SSL debugging in Wireshark and looking at the output this produces should indicate what's going wrong.&nbsp;

daves_377638 · Answer

I assume you're following the process outlined here:&nbsp;
K16700: Decrypting SSL traffic using the SSL::sessionsecret iRules command&nbsp;
Yes, you'll need to use the CLIENT_RANDOM option with the random byte string as the identifier and sessionsecret string for the master key string.&nbsp;
If there are multiple connections in the packet capture then you will need to look at all the client source ports used so that the Master Secret log file contains multiple lines, each with the random byte string with the matched key string. As noted in the steps, the syntax is important.&nbsp;
If you're still having issues with the decryption then enabling SSL debugging in Wireshark and looking at the output this produces should indicate what's going wrong.&nbsp;

Forum Discussion

Unable to decrypt using SSL::sessionsecret iRules command

10 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Decrypt, Encrypt, Decrypt, Encrypt, Encrypt....

Decrypting BIG-IP Packet Captures without iRules

Decrypting BIG-IP Packet Captures Automatically

F5 Distributed Cloud - Regional Decryption with Virtual Sites

Decrypting TLS traffic on BIG-IP