SSL Decryption

There are two ways to decrypt the SSL traffic. Both ways require that you perform one of the following tasks before you take the TCP Capture.

SSL Decrypt from Windows Client

  1. To use the client to decrypt you must add a System Variable to log the session key data for decryption. On a windows client you would go into the Environment Variables and add a SSLKEYLOGFILE value to a text file on the machine as in the following image.

    ../../_images/system_variables.png

  2. Once the system variable has been put in place you can then launch a web browser and start the traffic that you want to analyze.

  3. Once the traffic has been captured you will import the capture file into Wireshark and configre the SSL options to use the pre-master key file defined in the system variables.

SSL Decrypt from Linux Client

  1. On the Ubuntu client open a terminal window and run the following commands:

    1
2
3
    touch session-key.log
export SSLKEYLOGFILE=/home/f5student/session-key.log
chromium-browser

  2. This will launch the Chrome browser and once you close the browser it will stop logging the SSL Session key data.

  3. Once the traffic has been captured you will import the capture file into Wireshark and configure the SSL options to use the session-key.log file.

SSL Decrypt from F5

More often you will not have access to modify the client in order to capture the SSL session data. The other option is to get the pre-master session data from the F5 itself by doing the following.

  1. Configure a new iRule as follows:

    1
2
3
4
5
6
7
    when CLIENTSSL_HANDSHAKE {
  log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
}

when SERVERSSL_HANDSHAKE {
   log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
}

  2. Apply this new iRule to the virtual server. In our lab environment the iRule has already been created and applied to the Virtual Server.

  3. You can now start a tcpdump and surf the website.

  4. After you have stopped the tcpdump, you will now need to SSH to the F5 and run the following command:

    grep Session-ID /var/log/ltm | sed 's/.*\(RSA.*\)/\1/' > /var/tmp/session.pms

  5. Now the session.pms file can be pulled from the F5 and put into Wireshark.

Previous Next