Bug ID 464934: Tcpdump enhancement for better SSL/TLS data analysis

Last Modified: Jul 13, 2024

Affected Product(s):
BIG-IP All(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3

Fixed In:
15.0.0

Opened: May 29, 2014

Severity: 4-Minor

Related Article: K31793632

Symptoms

tcpdump does not have the functionality to help analysis of encrypted data issues such as issues during encrypted TLS 1.3 handshakes, encrypted SSL/TLS payload for TLS 1.3, TLS 1.2 and earlier.

Impact

No ability to debug and analyze encrypted handshake and encrypted data of SSL/TLS connections.

Conditions

When there is a need to look at the encrypted traffic in an SSL/TLS connection or when there is a need to debug the encrypted handshake of TLS 1.3.

Workaround

You can use the OpenSSL keylogfile option to gather the same information needed to decrypt. This has to be done separately from the tcpdump capture.

Fix Information

In this release, there is a '--f5 ssl' option provided, which along with setting the dbvar 'tcpdump.sslprovider' to 'enable' supports capture of information needed to decrypt encrypted handshake and data.

Behavior Change

tcpdump has a new option: '--f5 ssl. When the db variable 'tcpdump.sslprovider' is set to 'enable', the tcpdump operation captures information needed to decrypt encrypted handshake and data.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips