BIG-IP LTM VE : How to decrypt SSL traffic on LTM with ssldump

Here’s an explanation of how to decrypt SSL traffic with ssldump which has been installed on LTM devices.

Network topology

Client – vSW – LTM – vSW – Server*2

Client , LTM and two Servers are running on ESXi.

[root@ltm1:Active] ~ # b version | head -5 Kernel: Linux 2.6.18-164.2.1.el5.1.0.f5app Package: BIG-IP Version 10.1.0 3341.1084 Final Edition

[ create Virtual Servers for HTTPS ]

Before creating a Virtual Server for HTTPS , create Nodes and Pools.

Here’s a Vitual Server for HTTPS

Choose “clientssl” , which has been install on LTM by default , as SSL Profile (Client)

bigip.conf

node 192.168.0.100 {   monitor icmp   screen s1-ipv4 } node 192.168.0.101 {   monitor icmp   screen s2-ipv4 } pool http-ipv4 {   monitor all http   members {      192.168.0.100:http {}      192.168.0.101:http {}   } } virtual vs-https {   pool http-ipv4   destination 10.0.0.100:https   ip protocol tcp   persist cookie   profiles {      clientssl {         clientside      }      http {}      tcp {}   } }

[ access to the VIP from a client ]

confirm that you could access to the VIP.

[ ssldump on LTM ]

ssldump has been installed on LTM by default.

Please note that you could decrypt SSL traffic under the following conditions.

ssldump  can  decrypt traffic between two hosts if the following       two conditions are met:              1. ssldump has the keys.              2. Static RSA was used.

private key of “clientssl” profile is stored under /config/ssl/ssl.key directory.

[root@ltm1:Active] ~ # ssldump -k /config/ssl/ssl.key/default.key -i 1.1 port 443 -A -d    New TCP connection #1: 10.0.0.10(42572) <-> 10.0.0.100(443) 1 1  0.0011 (0.0011)  C>SV3.1(89)  Handshake      ClientHello        Version 3.1        random[32]=          4f 26 54 e3 a8 e1 a4 d4 a0 8c c1 11 ad a2 fe cb          c9 7f 3d ff 4b 58 65 6c 1c 28 c9 2c 4e 88 de 8c        cipher suites        Unknown value 0xff        Unknown value 0x88        Unknown value 0x87        TLS_DHE_RSA_WITH_AES_256_CBC_SHA        TLS_DHE_DSS_WITH_AES_256_CBC_SHA        Unknown value 0x84        TLS_RSA_WITH_AES_256_CBC_SHA        Unknown value 0x45        Unknown value 0x44        TLS_DHE_RSA_WITH_AES_128_CBC_SHA        TLS_DHE_DSS_WITH_AES_128_CBC_SHA        Unknown value 0x96        Unknown value 0x41        TLS_RSA_WITH_RC4_128_MD5        TLS_RSA_WITH_RC4_128_SHA        TLS_RSA_WITH_AES_128_CBC_SHA        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA        Unknown value 0xfeff        TLS_RSA_WITH_3DES_EDE_CBC_SHA        compression methods                  NULL 1 2  0.0013 (0.0002)  S>CV3.1(48)  Handshake      ServerHello        Version 3.1        random[32]=          4f 26 54 e3 99 85 29 14 f9 26 a2 a2 0d 68 7f 6e          ae 49 2d 4c d0 3b af d4 7d 67 ff 83 a1 77 a3 9e        session_id[0]=        cipherSuite         TLS_RSA_WITH_AES_256_CBC_SHA        compressionMethod                   NULL 1 3  0.0013 (0.0000)  S>CV3.1(692)  Handshake      Certificate 1 4  0.0013 (0.0000)  S>CV3.1(4)  Handshake      ServerHelloDone 1 5  0.0375 (0.0362)  C>SV3.1(134)  Handshake      ClientKeyExchange        EncryptedPreMasterSecret[128]=          15 b1 e0 a9 db 90 19 49 12 82 3b e4 60 cd bf eb          5d 6a fe 05 67 05 19 1f 07 1b 8d 0d ce 9e d4 0d          2d 90 92 1a c8 5e 5d 57 18 b0 03 53 ad 19 a8 a1          17 33 e0 25 30 71 3d 30 7e 07 67 ba c3 f4 ee 36          6e d8 8a 42 5d 34 cc d1 82 30 ed 5a dc 4c 3f df          9a 9b ed 53 a6 2c 62 9b b8 0f 72 43 02 a8 1c 60          e5 aa 69 4a c7 b1 74 28 93 cb 1d dd 65 58 00 41          2a 75 fb 33 17 32 59 3f ca 35 52 54 aa 95 d3 a1 1 6  0.0375 (0.0000)  C>SV3.1(1)  ChangeCipherSpec 1 7  0.0375 (0.0000)  C>SV3.1(48)  Handshake      Finished        verify_data[12]=          97 48 73 91 a0 ea 37 d4 74 c8 9c c4 1 8  0.0408 (0.0033)  S>CV3.1(170)  Handshake 1 9  0.0408 (0.0000)  S>CV3.1(1)  ChangeCipherSpec 1 10 0.0408 (0.0000)  S>CV3.1(48)  Handshake      Finished        verify_data[12]=          8c 91 bd e5 93 c4 36 34 80 53 49 24 1 11 0.0419 (0.0011)  C>SV3.1(416)  application_data    ---------------------------------------------------------------    GET / HTTP/1.1    Host: 10.0.0.100    User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.24) Gecko/20111108 Red Hat/3.6.24-3.el6_1 Firefox/3.6.24    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8    Accept-Language: en-us,en;q=0.5    Accept-Encoding: gzip,deflate    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7    Keep-Alive: 115    Connection: keep-alive        --------------------------------------------------------------- 1 12 0.0443 (0.0023)  S>CV3.1(352)  application_data    ---------------------------------------------------------------    HTTP/1.1 200 OK    Date: Mon, 30 Jan 2012 08:29:23 GMT    Server: Apache/2.2.15 (Scientific Linux)    Last-Modified: Mon, 05 Sep 2011 05:55:49 GMT    ETag: "443e5-6-4ac2b5ce8a846"    Accept-Ranges: bytes    Content-Length: 6    Connection: close    Content-Type: text/html; charset=UTF-8    Set-Cookie: lbcookie=1694542016.20480.0000; path=/        --------------------------------------------------------------- 1 13 0.0443 (0.0000)  S>CV3.1(32)  application_data    ---------------------------------------------------------------    SL6-3    --------------------------------------------------------------- 1    0.0443 (0.0000)  S>C  TCP FIN 1 14 0.0454 (0.0010)  C>SV3.1(32)  Alert    level           warning    value           close_notify 1    0.0486 (0.0032)  C>S  TCP FIN New TCP connection #2: 10.0.0.10(42573) <-> 10.0.0.100(443) 2 1  0.0011 (0.0011)  C>SV3.1(281)  Handshake      ClientHello        Version 3.1        random[32]=          4f 26 54 e4 7e 4a 05 b5 ea f1 20 6c 13 39 a8 bf          91 b9 6f 4b 19 a9 d1 d4 26 ee d1 45 a6 1a 5a b7        resume [32]=          b0 f9 74 fb 02 41 00 40 e8 28 b5 85 b5 5f 0b c9          ed 7d 2f 7d 6c d1 78 37 e4 08 6d bf ca 22 22 2f        cipher suites        Unknown value 0xff        Unknown value 0x88        Unknown value 0x87        TLS_DHE_RSA_WITH_AES_256_CBC_SHA        TLS_DHE_DSS_WITH_AES_256_CBC_SHA        Unknown value 0x84        TLS_RSA_WITH_AES_256_CBC_SHA        Unknown value 0x45        Unknown value 0x44        TLS_DHE_RSA_WITH_AES_128_CBC_SHA        TLS_DHE_DSS_WITH_AES_128_CBC_SHA        Unknown value 0x96        Unknown value 0x41        TLS_RSA_WITH_RC4_128_MD5        TLS_RSA_WITH_RC4_128_SHA        TLS_RSA_WITH_AES_128_CBC_SHA        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA        Unknown value 0xfeff        TLS_RSA_WITH_3DES_EDE_CBC_SHA        compression methods                  NULL 2    28.1854 (28.1842)  C>S  TCP FIN 2    28.1854 (0.0000)  S>C  TCP FIN New TCP connection #3: 10.0.0.10(42574) <-> 10.0.0.100(443) 3 1  0.0011 (0.0011)  C>SV3.1(281)  Handshake      ClientHello        Version 3.1        random[32]=          4f 26 54 ff c4 f5 10 80 9d 56 2d 64 66 e0 ff 29          56 04 bf 1b 03 f6 5a 5e d0 25 c5 fc 1d 0b 69 d4        resume [32]=          b0 f9 74 fb 02 41 00 40 e8 28 b5 85 b5 5f 0b c9          ed 7d 2f 7d 6c d1 78 37 e4 08 6d bf ca 22 22 2f        cipher suites        Unknown value 0xff        Unknown value 0x88        Unknown value 0x87        TLS_DHE_RSA_WITH_AES_256_CBC_SHA        TLS_DHE_DSS_WITH_AES_256_CBC_SHA        Unknown value 0x84        TLS_RSA_WITH_AES_256_CBC_SHA        Unknown value 0x45        Unknown value 0x44        TLS_DHE_RSA_WITH_AES_128_CBC_SHA        TLS_DHE_DSS_WITH_AES_128_CBC_SHA        Unknown value 0x96        Unknown value 0x41        TLS_RSA_WITH_RC4_128_MD5        TLS_RSA_WITH_RC4_128_SHA        TLS_RSA_WITH_AES_128_CBC_SHA        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA        Unknown value 0xfeff        TLS_RSA_WITH_3DES_EDE_CBC_SHA        compression methods                  NULL [root@ltm1:Active] ~ #