To capture SSL traffic and decrypt it on a virtual we can use the below iRule.
First create the iRule and save it example SSL_Decrypt_iRule
when CLIENTSSL_HANDSHAKE {
log local0. "Client Side [IP::client_addr][TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
}
when SERVERSSL_HANDSHAKE {
log local0. "Server Side [IP::client_addr][TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
}
Attach this to the VIP for the duration of the test. Don't forget to remove it after or else it will keep logging the Session ID's to the log file.log local0. "Client Side [IP::client_addr][TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
}
when SERVERSSL_HANDSHAKE {
log local0. "Server Side [IP::client_addr][TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
}
After the tcp capture is completed, use the below command from CLI to extract the session keys to the pms file
sed -e 's/^.*\(RSA Session-ID\)/\1/;tx;d;:x' /var/log/ltm > /var/tmp/problem.pms
Now open the pcap and use the pms file to decrypt the requests.
No comments:
Post a Comment