Troubleshooting PFS - BIG-IP Feature Request?

Question

Hello all!&nbsp;
Ever since I heard of PFS I started dreading the day I would need to troubleshoot a PFS flow.&nbsp;
I read some interesting suggestions of how to deal with it. One could make SSL bridging, where the client-side have PFS enabled and the server-side would not have PFS diisabled, sou you could tcpdump the internal traffic.&nbsp;
Another solution involves third party hardware and a lot of prep, which is not feasible if you're a little shop IMHO.&nbsp;
But my question is: Since BIG-IP is sitting right in the middle of the traffic (on flows it's terminating SSL/TLS and not proxying it), wouldn't it be "easy" to dump the traffic in clear text?&nbsp;
This "feature" would be so handy and since BIG-IP is full-proxy it makes sense to me it could do that...&nbsp;
Any thoughts?&nbsp;
Cheers! Rafael&nbsp;

dennisjann · Answer

You can capture the SSL session keys with an iRule while running tcpdump on the BIG-IP, and then use the Master Secret log file to view the decrypted tcpdump data in Wireshark.&nbsp;
K16700: Decrypting SSL traffic using the SSL::sessionsecret iRules command&nbsp;
The instructions in the KB article do work for decrypting PFS sessions.&nbsp;
If your HTTPS VIP is running on a non-standard port, you would need to go into Wireshark preferences and add the non-standard HTTPS port in Protocols &gt; HTTP &gt; SSL/TLS Ports.&nbsp;

Forum Discussion

Troubleshooting PFS - BIG-IP Feature Request?

1 Reply

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

google-visualization-issues

Related Content

F5 CIS, TLS Extensions, and troubleshooting

Re: SYN Troubleshooting: Stats

DevCentral's Featured Member for April - Mihai Cziraki

DevCentral's Featured Member for December - Mohamed Kansoh

DevCentral's Featured Member for March - Thomas Dahlmann