Forum Discussion
I have now uploaded my sycript to generate the pms file out of the tcpdump file with enabled sslprovider. This script works for all TLS versions and decrypts clientside and serverside traffic.
I use this script in my daily job and I hope it could help other people also!
thank you for sharing your script.
Sorry to bump this old thread.
For some reason only the client side traffic get's decrypted. Communication between LTM and nodes are still encrypted. I'm using the tcpdump command as mentioned in your github.
Any idea?
- David_LarsenMar 04, 2024Employee
One thing to take into account is if you have a OneConnect profile applied to the virtual server the Serverside connections could have established SSL handshakes before you take the capture and not be able to be decrypted. You have to make sure all connections on the serverside and clientside are deleted before starting the capture otherwise you may not be able to decrypt.
You should also use a filter that includes the ServerSide nodes specifically and not rely on the :nnnp to gather that data if you are looking to decrypt the serverside traffic.
- IchnafiMar 04, 2024Cirrostratus
Hi,
thank you for your input.
Sadly it does not work.
- did check if any tcp connection exists for this VS
- used a fresh browser
- no oneconnect profile
- no http/2
- added node IPs to tcpdump filter
- one can see complete TCP and SSL handshake between LTM and node in the capture
The LTM still uses a rather old version (15.1), so maybe it's an issue there?
- David_LarsenMar 06, 2024Employee
That version should work.
- Is there a ServerSSL profile?
- Is there a HTTPS health monitor?
- Is the pool member IP used in any other pools?
There are a number of ways there could be an open connection to the server that already establish the SSL handshake. I'm wondering if it is something we are not thinking of that could have it open already.