lost and found ( for me ? )

BIG-IP LTM VE : How to decrypt SSL traffic on LTM with ssldump


Here’s an explanation of how to decrypt SSL traffic with ssldump which has been installed on LTM devices.

Network topology
Client – vSW – LTM – vSW – Server*2


Client , LTM and two Servers are running on ESXi.
[root@ltm1:Active] ~ # b version | head -5
Kernel:
Linux 2.6.18-164.2.1.el5.1.0.f5app
Package:
BIG-IP Version 10.1.0 3341.1084
Final Edition


[ create Virtual Servers for HTTPS ]

Before creating a Virtual Server for HTTPS , create Nodes and Pools.

Here’s a Vitual Server for HTTPS

Choose “clientssl” , which has been install on LTM by default , as SSL Profile (Client)

bigip.conf
node 192.168.0.100 {
  monitor icmp
  screen s1-ipv4
}
node 192.168.0.101 {
  monitor icmp
  screen s2-ipv4
}

pool http-ipv4 {
  monitor all http
  members {
     192.168.0.100:http {}
     192.168.0.101:http {}
  }
}

virtual vs-https {
  pool http-ipv4
  destination 10.0.0.100:https
  ip protocol tcp
  persist cookie
  profiles {
     clientssl {
        clientside
     }
     http {}
     tcp {}
  }
}


[ access to the VIP from a client ]

confirm that you could access to the VIP.



[ ssldump on LTM ]
ssldump has been installed on LTM by default.

Please note that you could decrypt SSL traffic under the following conditions.
      ssldump  can  decrypt traffic between two hosts if the following
      two conditions are met:
             1. ssldump has the keys.
             2. Static RSA was used.


private key of “clientssl” profile is stored under /config/ssl/ssl.key directory.
[root@ltm1:Active] ~ # ssldump -k /config/ssl/ssl.key/default.key -i 1.1 port 443 -A -d   
New TCP connection #1: 10.0.0.10(42572) <-> 10.0.0.100(443)
1 1  0.0011 (0.0011)  C>SV3.1(89)  Handshake
     ClientHello
       Version 3.1
       random[32]=
         4f 26 54 e3 a8 e1 a4 d4 a0 8c c1 11 ad a2 fe cb
         c9 7f 3d ff 4b 58 65 6c 1c 28 c9 2c 4e 88 de 8c
       cipher suites
       Unknown value 0xff
       Unknown value 0x88
       Unknown value 0x87
       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
       TLS_DHE_DSS_WITH_AES_256_CBC_SHA
       Unknown value 0x84
       TLS_RSA_WITH_AES_256_CBC_SHA
       Unknown value 0x45
       Unknown value 0x44
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
       TLS_DHE_DSS_WITH_AES_128_CBC_SHA
       Unknown value 0x96
       Unknown value 0x41
       TLS_RSA_WITH_RC4_128_MD5
       TLS_RSA_WITH_RC4_128_SHA
       TLS_RSA_WITH_AES_128_CBC_SHA
       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
       Unknown value 0xfeff
       TLS_RSA_WITH_3DES_EDE_CBC_SHA
       compression methods
                 NULL
1 2  0.0013 (0.0002)  S>CV3.1(48)  Handshake
     ServerHello
       Version 3.1
       random[32]=
         4f 26 54 e3 99 85 29 14 f9 26 a2 a2 0d 68 7f 6e
         ae 49 2d 4c d0 3b af d4 7d 67 ff 83 a1 77 a3 9e
       session_id[0]=

       cipherSuite         TLS_RSA_WITH_AES_256_CBC_SHA
       compressionMethod                   NULL
1 3  0.0013 (0.0000)  S>CV3.1(692)  Handshake
     Certificate
1 4  0.0013 (0.0000)  S>CV3.1(4)  Handshake
     ServerHelloDone
1 5  0.0375 (0.0362)  C>SV3.1(134)  Handshake
     ClientKeyExchange
       EncryptedPreMasterSecret[128]=
         15 b1 e0 a9 db 90 19 49 12 82 3b e4 60 cd bf eb
         5d 6a fe 05 67 05 19 1f 07 1b 8d 0d ce 9e d4 0d
         2d 90 92 1a c8 5e 5d 57 18 b0 03 53 ad 19 a8 a1
         17 33 e0 25 30 71 3d 30 7e 07 67 ba c3 f4 ee 36
         6e d8 8a 42 5d 34 cc d1 82 30 ed 5a dc 4c 3f df
         9a 9b ed 53 a6 2c 62 9b b8 0f 72 43 02 a8 1c 60
         e5 aa 69 4a c7 b1 74 28 93 cb 1d dd 65 58 00 41
         2a 75 fb 33 17 32 59 3f ca 35 52 54 aa 95 d3 a1
1 6  0.0375 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
1 7  0.0375 (0.0000)  C>SV3.1(48)  Handshake
     Finished
       verify_data[12]=
         97 48 73 91 a0 ea 37 d4 74 c8 9c c4

1 8  0.0408 (0.0033)  S>CV3.1(170)  Handshake
1 9  0.0408 (0.0000)  S>CV3.1(1)  ChangeCipherSpec
1 10 0.0408 (0.0000)  S>CV3.1(48)  Handshake
     Finished
       verify_data[12]=
         8c 91 bd e5 93 c4 36 34 80 53 49 24

1 11 0.0419 (0.0011)  C>SV3.1(416)  application_data
   ---------------------------------------------------------------
   GET / HTTP/1.1
   Host: 10.0.0.100
   User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.24) Gecko/20111108 Red Hat/3.6.24-3.el6_1 Firefox/3.6.24
   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
   Accept-Language: en-us,en;q=0.5
   Accept-Encoding: gzip,deflate
   Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
   Keep-Alive: 115
   Connection: keep-alive
   
   ---------------------------------------------------------------
1 12 0.0443 (0.0023)  S>CV3.1(352)  application_data
   ---------------------------------------------------------------
   HTTP/1.1 200 OK
   Date: Mon, 30 Jan 2012 08:29:23 GMT
   Server: Apache/2.2.15 (Scientific Linux)
   Last-Modified: Mon, 05 Sep 2011 05:55:49 GMT
   ETag: "443e5-6-4ac2b5ce8a846"
   Accept-Ranges: bytes
   Content-Length: 6
   Connection: close
   Content-Type: text/html; charset=UTF-8
   Set-Cookie: lbcookie=1694542016.20480.0000; path=/
   
   ---------------------------------------------------------------
1 13 0.0443 (0.0000)  S>CV3.1(32)  application_data
   ---------------------------------------------------------------
   SL6-3
   ---------------------------------------------------------------
1    0.0443 (0.0000)  S>C  TCP FIN
1 14 0.0454 (0.0010)  C>SV3.1(32)  Alert
   level           warning
   value           close_notify
1    0.0486 (0.0032)  C>S  TCP FIN
New TCP connection #2: 10.0.0.10(42573) <-> 10.0.0.100(443)
2 1  0.0011 (0.0011)  C>SV3.1(281)  Handshake
     ClientHello
       Version 3.1
       random[32]=
         4f 26 54 e4 7e 4a 05 b5 ea f1 20 6c 13 39 a8 bf
         91 b9 6f 4b 19 a9 d1 d4 26 ee d1 45 a6 1a 5a b7
       resume [32]=
         b0 f9 74 fb 02 41 00 40 e8 28 b5 85 b5 5f 0b c9
         ed 7d 2f 7d 6c d1 78 37 e4 08 6d bf ca 22 22 2f
       cipher suites
       Unknown value 0xff
       Unknown value 0x88
       Unknown value 0x87
       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
       TLS_DHE_DSS_WITH_AES_256_CBC_SHA
       Unknown value 0x84
       TLS_RSA_WITH_AES_256_CBC_SHA
       Unknown value 0x45
       Unknown value 0x44
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
       TLS_DHE_DSS_WITH_AES_128_CBC_SHA
       Unknown value 0x96
       Unknown value 0x41
       TLS_RSA_WITH_RC4_128_MD5
       TLS_RSA_WITH_RC4_128_SHA
       TLS_RSA_WITH_AES_128_CBC_SHA
       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
       Unknown value 0xfeff
       TLS_RSA_WITH_3DES_EDE_CBC_SHA
       compression methods
                 NULL
2    28.1854 (28.1842)  C>S  TCP FIN
2    28.1854 (0.0000)  S>C  TCP FIN
New TCP connection #3: 10.0.0.10(42574) <-> 10.0.0.100(443)
3 1  0.0011 (0.0011)  C>SV3.1(281)  Handshake
     ClientHello
       Version 3.1
       random[32]=
         4f 26 54 ff c4 f5 10 80 9d 56 2d 64 66 e0 ff 29
         56 04 bf 1b 03 f6 5a 5e d0 25 c5 fc 1d 0b 69 d4
       resume [32]=
         b0 f9 74 fb 02 41 00 40 e8 28 b5 85 b5 5f 0b c9
         ed 7d 2f 7d 6c d1 78 37 e4 08 6d bf ca 22 22 2f
       cipher suites
       Unknown value 0xff
       Unknown value 0x88
       Unknown value 0x87
       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
       TLS_DHE_DSS_WITH_AES_256_CBC_SHA
       Unknown value 0x84
       TLS_RSA_WITH_AES_256_CBC_SHA
       Unknown value 0x45
       Unknown value 0x44
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
       TLS_DHE_DSS_WITH_AES_128_CBC_SHA
       Unknown value 0x96
       Unknown value 0x41
       TLS_RSA_WITH_RC4_128_MD5
       TLS_RSA_WITH_RC4_128_SHA
       TLS_RSA_WITH_AES_128_CBC_SHA
       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
       Unknown value 0xfeff
       TLS_RSA_WITH_3DES_EDE_CBC_SHA
       compression methods
                 NULL
[root@ltm1:Active] ~ #

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.