Forum Discussion
Kevin_Stewart
Nov 19, 2015Employee
The SSL:: commands only work if you process the SSL at the F5. If you're passing SSL traffic through, you have to get a little deeper in the weeds. Here's a very crude example of what it might look like to sniff the negotiated cipher from the server's ServerHello message:
when CLIENT_ACCEPTED {
store client IP
set clientip [IP::client_addr]
}
when SERVER_CONNECTED {
collecting server side responses
TCP::collect
}
when SERVER_DATA {
sniffing the packet type
binary scan [TCP::payload] cSSc type len ver hs
22 = SSL handshake, 2 = ServerHello
if { ( $type == 22 ) and ( $hs == 2 ) } {
binary scan [TCP::payload] H86H2 sh sidlen
if { $sidlen ne "00" } {
if sidlen not 00 (session ID length), skip past ID and collect cipher
scan $sidlen %x dec
set dec [expr $dec * 2]
binary scan [TCP::payload] H88H${dec}H4 sh sid cipher
log local0. "Client: $clientip negotiated cipher: $cipher"
} else {
no session ID, collect cipher
binary scan [TCP::payload] H88H4 sh cipher
log local0. "Client: $clientip negotiated cipher: $cipher"
}
}
TCP::release
}
Again, stressing very crude example. The log will show something like this:
Client: 10.70.0.51 negotiated cipher: c030
The "c030" here is the hexadecimal value of the cipher version, as defined here:
http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
So c030 = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"