Decrypting TLS 1.2/1.1/1.0 Traffic
- Capture packets on FortiWeb, and enable diagnose debug flow at the same time as follows.
For example, capturing packets from client IP 10.20.0.20 to FortiWeb VIP 10.59.76.190 on FortiWeb GUI as below. If the IP used on FortiWeb to connect pservers is also 10.59.76.190, then the traffic flow on both the frontend and backend sides will be captured; otherwise you may need to specify the pserver as another host filter instead of the VIP to capture the packets on the backend side. -
The client random and "pre master key" will be in the diagnose debug output as follows.
You can find the client random and "pre master key" in two sections in diagnose output. Either of them can be retrieved and used as keys to encrypt SSL traffic in wireshark.
Section I:
tls1.3 ssl key (server):
CLIENT_RANDOM 61e7b3d0b841a4abd371199cd32e23b6ee89f405c7aabc2a28997964ed01a677 e392e420f25bfb69cfae878c05c098dcea21020de21e1852c44701edfb25a28677a4b3677c3aa054352643bcad171a70
tls1.3 ssl key (client):
CLIENT_RANDOM bcac18831f2c2b63d8ea784ba5df74bc8e0e1618f3c7bb927bcda5bbc4ba322a cebb2af2b4bb2fed087214da294dbd8ffbbdbd162466f76aaab9c822aa73bfec991b6b7cefb9c98c3434300afcb32ac0
Section II: (client random&keys are as same as that in section I)
[work 1][flow] ssn 1 policy SP_01 strm 0 dir 0 subclient 0 client 32 ssl handshake(172.30.212.177:1074->10.159.37.1:7002) session data: client random 61e7b3d0b841a4abd371199cd32e23b6ee89f405c7aabc2a28997964ed01a677, master key e392e420f25bfb69cfae878c05c098dcea21020de21e1852c44701edfb25a28677a4b3677c3aa054352643bcad171a70
[work 1][flow] ssn 1 policy SP_01 strm 0 dir 1 subclient 0 server 34 ssl handshake(10.159.37.1:13536->10.159.37.11:443) session data: client random bcac18831f2c2b63d8ea784ba5df74bc8e0e1618f3c7bb927bcda5bbc4ba322a, master key cebb2af2b4bb2fed087214da294dbd8ffbbdbd162466f76aaab9c822aa73bfec991b6b7cefb9c98c3434300afcb32ac0
-
Create a wireshark key file. The key file format is as follows with content retrieved from the diagnose output.
CLIENT_RANDOM 61e7b3d0b841a4abd371199cd32e23b6ee89f405c7aabc2a28997964ed01a677 e392e420f25bfb69cfae878c05c098dcea21020de21e1852c44701edfb25a28677a4b3677c3aa054352643bcad171a70
CLIENT_RANDOM bcac18831f2c2b63d8ea784ba5df74bc8e0e1618f3c7bb927bcda5bbc4ba322a cebb2af2b4bb2fed087214da294dbd8ffbbdbd162466f76aaab9c822aa73bfec991b6b7cefb9c98c3434300afcb32ac0
The first section is for client to FortiWeb and the second is for FortiWeb to back-end server.
You can manually copy and save the client random and "pre master key" to a file, or use a Linux command to retrieve them as follows:
For releases earlier than 6.3:
awk '{gsub(/\,/," ")}/session data: client random/{print "CLIENT_RANDOM " $19 " " $22}' tls12_debug.log > tls12key.file
For 6.3 and later:
awk '{gsub(/\,/," ")}/session data: client random/{print "CLIENT_RANDOM " $21 " " $24}' tls12_debug.log > tls12key.file
You can save the diagnose output in tls12_debug.log as above and run the command in the FortiWeb backend shell or a Linux machine.
Sometimes running the command may run into an error:
root@ut:/home/test# awk '{gsub(/\,/," ")}/session data: client random/{print "CLIENT_RANDOM " $21 " " $24}' tls1.2_flow.log > tls1.2_key.log
awk: cmd. line:1: warning: regexp escape sequence `\,' is not a known regexp operator
Use below command instead:
awk '{gsub(/,/," ")}/session data: client random/{print "CLIENT_RANDOM " $21 " " $24}' "tls1.2_flow.log" > tls1.2_key.file
- Set wireshark: edit > preference > protocols > TLS: choose the key file “tls1.2_key.file” from "(Pre)-Master-Secret log filename". Then you’ll be able to see that decrypted HTTP traffic.