NimbostratusIs it possible to capture SSL traffic specifically HTTPS content that is encrypted with a private key that is stored on internal HSM module (FIPS). If it is possible is it also possible to generate pre-master secret for that specific traffic to be decrypted in Wireshark?
Any help would be appreciated. Thanks...
EmployeeThere's actually two answers to this question.
The first is a direct "no" to the specifics of the question. You don't have access to the private keys in the HSM, therefore you cannot perform (non-ephemeral) decryption of SSL traffic with ssldump at the command line.
The second thing is that you don't actually need to do this anyway. Understand that knowledge of the private key allows ssldump to perform an SSL man-in-the-middle "attack" against an RSA, non-ephemeral handshake. Since the client and server share public parameters in the clear, and the pre-master secret is encrypted with the server's public key, access to the server's private key give ssldump access to all of the information it needs to derive the same master secret (which is then used to derive all of the symmetric crypto for the actual data exchange). If you can get the pre-master secret another way then you don't need the server's private key.
The first option relies on a little trick that WirShark provides using system environment variables
Windows Environment Variable: SSLKEYLOGFILE = c:\users\bob\sslkeylog.pms
MAC OSX:
export SSLKEYLOGFILE=/Users/bob/sslkeylogs/sslkeylog.pms
open -a firefox
wireshark
This system environment variable creates a running log of the pre-master secret data in the specified file. You need only open WireShark, import this file under the PMS options in the SSL preferences, and then navigate to an SSL site. Note that decryption can only happen on one of the peer systems, and in this case on the client system. You can do similar with tshark on the BIG-IP, but I won't get into that here. Wireshark is smart enough to actually search this file and match each SSL session with the correct PMS data in the log so you can get real-time SSL decryption in WireShark.
Reference:
https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/
The second option is something I won't take credit for, but is very interesting nonetheless. It allows you to capture PMS data and export it to WireShark after the fact.
On the BIG-IP, add an iRule to the SSL virtual server (I believe this works on 11.4 an higher):
when CLIENTSSL_HANDSHAKE {
log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]”
}
At the same time, start a tcpdump and enable snaplen 0
tcpdump -lnni 0.0 -Xs0 -w some_file.pcap
Grep the resulting log to accumulate all of the PMS data:
grep Session-ID /var/log/ltm | sed 's/.*\(RSA.*\)/\1/' > session.pms
Open Wireshark, import the session.pms file into the PMS section of the SSL settings, and then open the tcpdump cap file. Again, WireShark should be smart enough to match PMS data to the SSL session information in the pcap. Of course this option doesn't always work, but when it does it's pretty cool. 😉