Fortinet black logo

Administration Guide

Enabling diagnose debug flow to retrieve TLS Pre-master secrets

Enabling diagnose debug flow to retrieve TLS Pre-master secrets

SSL pre-master secrets, also stated as “SSL keys” in below sections, which are necessary to decrypt SSL packets, can be retrieved from diagnose debug flow trace logs.

To decrypt SSL packets, you need to capture SSL packets and enable diagnose debug flow at the same time. After pre-master secrets are retrieved from diagnose logs, one can save them in a file and import it into Wireshark to decrypt the captured SSL packets, then you’ll be able to see the encrypted HTTP flows.

Use below diagnose commands to print diagnose debug flow trace in which SSL pre-master secrets will be included:

# diagnose debug flow filter flow-detail 4 #4 is the lowest level to print SSL secrets

# diagnose debug flow trace start

FWB# diagnose debug enable

To scale down diagnose flow output, you can add IP filters in flow trace logs:

# diagnose debug flow filter client-ip <A.A.A.A> #Client IP address

# diagnose debug flow filter server-ip <B.B.B.B> #The VIP in RP mode or the real server IP in TP/TI mode

# diagnose debug flow filter pserver-ip <C.C.C.C> #The real server IP in RP mode; TTP or other operation modes do not support this filter

Please note:

  • Client-ip & server-ip are supported on all 6.3.x and 7.0.x builds; pserver-ip is supported on 6.3.21, 7.0.3 and later builds.

  • On 6.3.20, 7.0.1 and earlier builds:

    • If no IP filters are added, both front-end and back-end TLS 1.2 & 1.3 pre-master secrets can be printed out in diagnose logs;

    • If client-ip or/and server-ip are added, only flows matched will be printed out in diagnose logs; pre-master secrets for TLS 1.2 and lower protocols on both the front-end and back-end-side will be printed in diagnose logs;

    • A known limitation is that when TLS 1.3 is deployed on the back-end side (between FortiWeb and the real back-end servers) and IP flow filters are added, pre-master secrets cannot be printed out. You need to remove all IP filters to retrieve the TLS 1.3 secrets.

  • On 6.3.21, 7.0.3 and newer builds:

    • If no IP filters are added, both front-end and back-end side TLS 1.2 & 1.3 pre-master secrets can be printed out in diagnose logs;

    • If only the front-end IP filters (client-ip or/and server-ip) or the back-end IP filter pserver-ip is added, only flows matched the filters will be printed out in diagnose logs, which include the pre-master secrets;

    • If both the front-end IP filters (client-ip or/and server-ip) and the back-end IP filter pserver-ip are added at the same time, the relationship between the front-end filters and the back-end filter is OR. That is to say the flows either matching the front-end or back-end IP filters will be printed.

    • The back-end IP filter pserver-ip is necessary for retrieving the back-end pre-master secrets either when TLS 1.2 or TLS 1.3 is deployed between FortiWeb and the real back-end servers.

Please refer to Debugging traffic flow at user level with diagnose commands for usage of related commands.

Enabling diagnose debug flow to retrieve TLS Pre-master secrets

SSL pre-master secrets, also stated as “SSL keys” in below sections, which are necessary to decrypt SSL packets, can be retrieved from diagnose debug flow trace logs.

To decrypt SSL packets, you need to capture SSL packets and enable diagnose debug flow at the same time. After pre-master secrets are retrieved from diagnose logs, one can save them in a file and import it into Wireshark to decrypt the captured SSL packets, then you’ll be able to see the encrypted HTTP flows.

Use below diagnose commands to print diagnose debug flow trace in which SSL pre-master secrets will be included:

# diagnose debug flow filter flow-detail 4 #4 is the lowest level to print SSL secrets

# diagnose debug flow trace start

FWB# diagnose debug enable

To scale down diagnose flow output, you can add IP filters in flow trace logs:

# diagnose debug flow filter client-ip <A.A.A.A> #Client IP address

# diagnose debug flow filter server-ip <B.B.B.B> #The VIP in RP mode or the real server IP in TP/TI mode

# diagnose debug flow filter pserver-ip <C.C.C.C> #The real server IP in RP mode; TTP or other operation modes do not support this filter

Please note:

  • Client-ip & server-ip are supported on all 6.3.x and 7.0.x builds; pserver-ip is supported on 6.3.21, 7.0.3 and later builds.

  • On 6.3.20, 7.0.1 and earlier builds:

    • If no IP filters are added, both front-end and back-end TLS 1.2 & 1.3 pre-master secrets can be printed out in diagnose logs;

    • If client-ip or/and server-ip are added, only flows matched will be printed out in diagnose logs; pre-master secrets for TLS 1.2 and lower protocols on both the front-end and back-end-side will be printed in diagnose logs;

    • A known limitation is that when TLS 1.3 is deployed on the back-end side (between FortiWeb and the real back-end servers) and IP flow filters are added, pre-master secrets cannot be printed out. You need to remove all IP filters to retrieve the TLS 1.3 secrets.

  • On 6.3.21, 7.0.3 and newer builds:

    • If no IP filters are added, both front-end and back-end side TLS 1.2 & 1.3 pre-master secrets can be printed out in diagnose logs;

    • If only the front-end IP filters (client-ip or/and server-ip) or the back-end IP filter pserver-ip is added, only flows matched the filters will be printed out in diagnose logs, which include the pre-master secrets;

    • If both the front-end IP filters (client-ip or/and server-ip) and the back-end IP filter pserver-ip are added at the same time, the relationship between the front-end filters and the back-end filter is OR. That is to say the flows either matching the front-end or back-end IP filters will be printed.

    • The back-end IP filter pserver-ip is necessary for retrieving the back-end pre-master secrets either when TLS 1.2 or TLS 1.3 is deployed between FortiWeb and the real back-end servers.

Please refer to Debugging traffic flow at user level with diagnose commands for usage of related commands.