You are here

MORE REVERSE PROXY SSL PCAP DECODING HAPPY FUN TIMES

Approach A: just decrypt to a text file on the proxy

I did:
ssldump -Aed -nr my_ssl_vip_encrypted.pcap -k /config/filestore/files_d/Common_d/certificate_key_d/\:Common\:key_wrong_common_name_should_fail.key_296251_1

result:
---snip---

9c f4 a4 30 0b 75 22 d4 66 3b 6a 33 1d 5d e2 a0 ...0.u".f;j3.]..
36 b3 59 05 b5 d9 8e 1a d4 86 68 c0 e9 e9 69 97 6.Y.......h...i.
38 a8 39 3d 3d ed 4e 61 16 6a 54 01 35 21 be 8d 8.9==.Na.jT.5!..
90 ed 08 08 d9 8e 70 76 76 76 ef 62 b3 0a 08 ff ......pvvv.b....
0e 00 85 74 f7 fa 05 85 37 3b 00 00 00 00 49 45 ...t....7;....IE
4e 44 ae 42 60 82 ND.B`.
---------------------------------------------------------------
4 13 1430340676.5581 (2.4335) C>SV3.3(518) application_data
---------------------------------------------------------------
POST /my.policy HTTP/1.1
Host: 10.10.20.68
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: https://10.10.20.68/my.policy
Cookie: LastMRH_Session=3040878c; MRHSession=d6935a50c3854f82a7b645213040878c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

---snip---

Approach B: The PMS file way
This is the creation of the pre-master secret file that you then download and load into wireshark prior to opening the capture.
Note: I don’t see any advantage to approach B seeing as Wireshark still didn’t decrypt it properly for me, so I was stuck just looking at a text file to see the plaintext, instead of the nice wireshark gui interface. I’ve had these kind of problems with wireshark before. So in my situation, I would just go with approach A, pipe the output of ssldump to a file and download that file off the box for analysis.

My virtual is 10.10.20.68, so I did:
tcpdump -ni 0.0 host 10.10.20.68 -w my_ssl_vip_encrypted.pcap -s0

and then:

ssldump -r my_ssl_vip_encrypted.pcap -k /config/filestore/files_d/Common_d/certificate_key_d/\:Common\:key_wrong_common_name_should_fail.key_296251_1 –M my_ssl_vip_pms.pms

Note the key I used was named “key_wrong_common_name_should_fail.key” but the sytem appended an underscore and then some numbers to it.
If your key has a fairly unique name, you should have no problem finding the one to refer to in the ssldump command.

After loading the PMS into Wireshark and then the PCAP, you will see the plaintext in the ssldebug.txt file as shown here in this pic, but in my wireshark ( latest version, downloaded today, version 1.12.4) And you can see the HTTP headers and so on. In my case I’m even seeing a username and password as show below:


Here are my wireshark ssl settings:

AttachmentSize
Image icon pic1.png75.74 KB
Image icon pic2.png127.17 KB