SSL Certificate Test?

Your Wireshark capture should show a TCP handshake followed by a certificate exchange via client/server hellos. After that's done, you should see some SSL or TLS data in the capture. Do you see this? If so, then you know it's working.

you can use curl to test. curl -kv https://xx.xx.xx.xx That should connection and show you the certificate information.

Thanks for reply....

I cant see any specific client server Hellos.... but if i run a "ssldump -nni 0.0 host " i get the following....

ssldump -nni 0.0 host VIP New TCP connection 1: CLIENT(4018) <-> VIP(7003) 1 1 0.0009 (0.0009) C>S Handshake ClientHello Version 3.1 resume [32]= c6 f2 70 e5 b4 cf 31 3c 52 37 7c 24 62 01 a0 66 96 1d c4 89 4e 76 c2 30 a4 f6 d2 9a 2c cf a5 98 cipher suites TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA compression methods NULL 1 2 0.0018 (0.0009) S>C Handshake ServerHello Version 3.1 session_id[32]= c6 f2 70 e5 b4 cf 31 3c 52 37 7c 24 62 01 a0 66 96 1d c4 89 4e 76 c2 30 a4 f6 d2 9a 2c cf a5 98 cipherSuite TLS_RSA_WITH_RC4_128_SHA compressionMethod NULL 1 3 0.0018 (0.0000) S>C ChangeCipherSpec 1 4 0.0018 (0.0000) S>C Handshake 1 5 0.0027 (0.0009) C>S ChangeCipherSpec 1 6 0.0027 (0.0000) C>S Handshake 1 7 0.0062 (0.0034) C>S application_data 1 0.0066 (0.0003) S>C TCP RST

This kinda looks normal to me? Would you agree?

As for curl - sounds interesting but im locked down for any new installs so it looks like a new toy to discover on the home network :)

Yep, looks like the SSL handshake is occurring successfully there.

appologies... reformatted for easier read....

Thanks for reply....

I cant see any specific client server Hellos.... but if i run a "ssldump -nni 0.0 host " i get the following....

ssldump -nni 0.0 host VIP New TCP connection

1 1 0.0009 (0.0009) C>S Handshake ClientHello

    Version 3.1 

    resume [32]=
      c6 f2 70 e5 b4 cf 31 3c 52 37 7c 24 62 01 a0 66 
      96 1d c4 89 4e 76 c2 30 a4 f6 d2 9a 2c cf a5 98 

    cipher suites

    TLS_RSA_WITH_RC4_128_MD5

    TLS_RSA_WITH_RC4_128_SHA

    TLS_RSA_WITH_3DES_EDE_CBC_SHA

    TLS_RSA_WITH_DES_CBC_SHA

    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

    TLS_RSA_EXPORT_WITH_RC4_40_MD5

    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

    TLS_DHE_DSS_WITH_DES_CBC_SHA

    TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA

    compression methods
              NULL

1 2 0.0018 (0.0009) S>C Handshake

  ServerHello

    Version 3.1 

    session_id[32]=
      c6 f2 70 e5 b4 cf 31 3c 52 37 7c 24 62 01 a0 66 
      96 1d c4 89 4e 76 c2 30 a4 f6 d2 9a 2c cf a5 98 

    cipherSuite         TLS_RSA_WITH_RC4_128_SHA

    compressionMethod                   NULL

1 3 0.0018 (0.0000) S>C ChangeCipherSpec

1 4 0.0018 (0.0000) S>C Handshake

1 5 0.0027 (0.0009) C>S ChangeCipherSpec

1 6 0.0027 (0.0000) C>S Handshake

1 7 0.0062 (0.0034) C>S application_data

1 0.0066 (0.0003) S>C TCP RST

This kinda looks normal to me? Would you agree?

As for curl - sounds interesting but im locked down for any new installs so it looks like a new toy to discover on the home network 🙂

Yes this looks good...

Thats great....

Just to confirm please, when using the SSL functions and looking at the wireshark output, i can see the "VIP" name being listed in plain text and as well as the "Get" commands is this normal or should this be encrypted too?

I would have assumed the entire page be encryted or is it just certain filds such as "username" and "Password" that are encrypted??

You shouldn't be able to see any of the HTTP information (host, GET string) unless you are viewing a capture that has the SSL stripped off. Were you viewing a decrypted version of the capture using ssldump? A standard tcpdump should show encrypted packets.

All thanks for your help, i always enjoy the learning curve on this site.

In answer to the above. Yes, i was just running a standard TCP dump off the front interface of the Viprion Guest.

HTTPs info is encrypted appart from the VIP name "/Common/" in the standard tcp dump which shows up in wireshark and also the certificate Info sent to the browser eg OU, Issuer..

Im guessing this is normaly behavious for LTM Viprion to not encrypt the VIP name then? all else if scrambled as extected.

The name of the virtual server being shown in the capture is probably a mechanism of the tcpdump you were running and doesn't necessarily mean the layer 7 information (HTTP in this case) in the communications is exposed.

As long as you see no HTTP type packets in the tcpdump, all either TCP or SSL/TLS, then you've got encryption on what matters.