Decrypt HTTPS Traffic Using iRule

Decrypt HTTPS Traffic Using iRule

(1) Creating PMS (Pre-Master Secret) key log file

You can use the SSL::sessionsecret iRules command to extract the SSL session key from SSL sessions that are terminated by the Traffic Management Microkernel (TMM).

• This method allows you to decrypt an SSL session and review the application data using the Wireshark application without having access to the server’s private key.
• This procedure functions on both client-side and server-side and works with Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH) key exchange algorithms as well as RSA.
• This procedure functions on both SSL session cache is enabled (non-zero value) and disabled (zero value).
  • As described in RFC 5246, when SSL session caching is disabled the server returns a blank Session ID.
  • This requires using the client random rather than the session ID to correlate the session secrets with the actual sessions for decryption.

(1.1) Create PMS key using iRule

iRule “irule_decrypt_ssl”

1.1.1 iRule

• Filter: Client address 192.168.201.1
  • Download Link

1.1.2 TCPdump

• tcpdump -vnni 0.0:nnnp -s0 -w /var/tmp/decrypt_https_ssl-nocache.pcap host 192.168.201.100 and tcp port 443
  • Filter: Virtual Server 192.168.201.100:443
  • Access https://www.xyz.com/
  • Stop TCPdump (ctrl+c)
• grep -h -o ‘CLIENT_RANDOM.*’ /var/log/ltm* > /var/tmp/decrypt_https_ssl-nocache.pms

(2) Examining the decrypted application data using the (symmetric) PMS key

To decrypt and display application data, the ssldump utility will need:

• PMS key log file
• Captured SSL traffic in pcap file, this needs to include the SSL handshake packets

(2.1) Decryption using Wireshark

• Open “decrypt_https_ssl-cache.pcap”
• Wireshark -> Preferences -> Protocols -> TLS -> (Pre)-Master-Secret log
  • filename: decrypt_https_ssl-cache.pms