smp_86112
Jul 01, 2010Cirrostratus
SSL Decryption with Wireshark - Cached Certificate?
I know it is possible to decrypt an HTTPS conversation between a client and a virtual server with Wireshark - I've done it before by specifying a couple of parameters in the SSL protocol preferences (Edit -> Preferences -> Protocols -> SSL). In the "RSA Keys List:", specify the following parameters seperated by commas:
* vip IP
* VIP HTTPS port number (typically 443)
* protocol (typically "http")
* SSL private key on local filesystem (from /config/ssl/ssl.key on LTM)
I've always had hit-and-miss success (more misses than hits) decrypting HTTPS in this manner. More recently, I've had no success at all. I viewed a Wireshark video on SSL and looked closely at the SSL debug log in Wireshark, and both seem to point to the fact that I haven't captured the "full" SSL key transfer:
"ssl_generate_keyring_material not enough data to generate key"
I'm not entirely sure about this, but my understanding was that an LTM can cache the SSL certificate? That might explain why I can't seem to capture the entire key transfer. And if that's the case, is there a propery in the SSL client profile I can adjust to force the LTM to always perform a full certificate transfer?
Maybe someone could clarify if I'm off-base?