Fortinet black logo

Administration Guide

Decrypting TLS 1.2/1.1/1.0 Traffic

Decrypting TLS 1.2/1.1/1.0 Traffic
  1. Capture packets on FortiWeb, and enable diagnose debug flow at the same time as follows.

    FortiWeb# diagnose debug flow filter flow-detail 4

    FortiWeb# diagnose debug flow trace start

    FortiWeb# diagnose debug enable

    Please note:

    • Add filters when capturing packets on FortiWeb;

    • Do not add filters in diagnose commands as below if the back-end server provides SSL/TLS service, otherwise SSL keys cannot be displayed in diagnose output. It’s a known limitation while we’ll enhance it in future builds.
    • If you only wants to decrypt SSL traffic from clients to FortiWeb, below filters can be added

      diagnose debug flow filter client-ip 172.30.214.11

      diagnose debug flow filter server-ip 10.159.37.33

  2. The client random and "pre master key" will be in the diagnose debug output as follows.

    You can find the client random and "pre master key" in two sections in diagnose output. Either of them can be retrieved and used as keys to encrypt SSL traffic in wireshark.

    Section I:

    tls1.3 ssl key (server):

    CLIENT_RANDOM 61e7b3d0b841a4abd371199cd32e23b6ee89f405c7aabc2a28997964ed01a677 e392e420f25bfb69cfae878c05c098dcea21020de21e1852c44701edfb25a28677a4b3677c3aa054352643bcad171a70

    tls1.3 ssl key (client):

    CLIENT_RANDOM bcac18831f2c2b63d8ea784ba5df74bc8e0e1618f3c7bb927bcda5bbc4ba322a cebb2af2b4bb2fed087214da294dbd8ffbbdbd162466f76aaab9c822aa73bfec991b6b7cefb9c98c3434300afcb32ac0

    Section II: (client random&keys are as same as that in section I)

    [work 1][flow] ssn 1 policy SP_01 strm 0 dir 0 subclient 0 client 32 ssl handshake(172.30.212.177:1074->10.159.37.1:7002) session data: client random 61e7b3d0b841a4abd371199cd32e23b6ee89f405c7aabc2a28997964ed01a677, master key e392e420f25bfb69cfae878c05c098dcea21020de21e1852c44701edfb25a28677a4b3677c3aa054352643bcad171a70

    [work 1][flow] ssn 1 policy SP_01 strm 0 dir 1 subclient 0 server 34 ssl handshake(10.159.37.1:13536->10.159.37.11:443) session data: client random bcac18831f2c2b63d8ea784ba5df74bc8e0e1618f3c7bb927bcda5bbc4ba322a, master key cebb2af2b4bb2fed087214da294dbd8ffbbdbd162466f76aaab9c822aa73bfec991b6b7cefb9c98c3434300afcb32ac0

  3. Create a wireshark key file. The key file format is as follows with content retrieved from the diagnose output.

    CLIENT_RANDOM 61e7b3d0b841a4abd371199cd32e23b6ee89f405c7aabc2a28997964ed01a677 e392e420f25bfb69cfae878c05c098dcea21020de21e1852c44701edfb25a28677a4b3677c3aa054352643bcad171a70

    CLIENT_RANDOM bcac18831f2c2b63d8ea784ba5df74bc8e0e1618f3c7bb927bcda5bbc4ba322a cebb2af2b4bb2fed087214da294dbd8ffbbdbd162466f76aaab9c822aa73bfec991b6b7cefb9c98c3434300afcb32ac0

    The first section is for client to FortiWeb and the second is for FortiWeb to back-end server.

    You can manually copy and save the client random and "pre master key" to a file, or use a Linux command to retrieve them as follows:

    For releases earlier than 6.3:

    awk '{gsub(/\,/," ")}/session data: client random/{print "CLIENT_RANDOM " $19 " " $22}' tls12_debug.log > tls12key.file

    For 6.3 and later:

    awk '{gsub(/\,/," ")}/session data: client random/{print "CLIENT_RANDOM " $21 " " $24}' tls12_debug.log > tls12key.file

    You can save the diagnose output in tls12_debug.log as above and run the command in the FortiWeb backend shell or a Linux machine.

    Sometimes running the command may run into an error:

    root@ut:/home/test# awk '{gsub(/\,/," ")}/session data: client random/{print "CLIENT_RANDOM " $21 " " $24}' tls1.2_flow.log > tls1.2_key.log

    awk: cmd. line:1: warning: regexp escape sequence `\,' is not a known regexp operator

    Use below command instead:

    awk '{gsub(/,/," ")}/session data: client random/{print "CLIENT_RANDOM " $21 " " $24}' "tls1.2_flow.log" > tls1.2_key.file

  4. Set wireshark: edit > preference > protocols > TLS: choose the key file “tls1.2_key.file” from "(Pre)-Master-Secret log filename". Then you’ll be able to see that decrypted HTTP traffic.

Decrypting TLS 1.2/1.1/1.0 Traffic
  1. Capture packets on FortiWeb, and enable diagnose debug flow at the same time as follows.

    FortiWeb# diagnose debug flow filter flow-detail 4

    FortiWeb# diagnose debug flow trace start

    FortiWeb# diagnose debug enable

    Please note:

    • Add filters when capturing packets on FortiWeb;

    • Do not add filters in diagnose commands as below if the back-end server provides SSL/TLS service, otherwise SSL keys cannot be displayed in diagnose output. It’s a known limitation while we’ll enhance it in future builds.
    • If you only wants to decrypt SSL traffic from clients to FortiWeb, below filters can be added

      diagnose debug flow filter client-ip 172.30.214.11

      diagnose debug flow filter server-ip 10.159.37.33

  2. The client random and "pre master key" will be in the diagnose debug output as follows.

    You can find the client random and "pre master key" in two sections in diagnose output. Either of them can be retrieved and used as keys to encrypt SSL traffic in wireshark.

    Section I:

    tls1.3 ssl key (server):

    CLIENT_RANDOM 61e7b3d0b841a4abd371199cd32e23b6ee89f405c7aabc2a28997964ed01a677 e392e420f25bfb69cfae878c05c098dcea21020de21e1852c44701edfb25a28677a4b3677c3aa054352643bcad171a70

    tls1.3 ssl key (client):

    CLIENT_RANDOM bcac18831f2c2b63d8ea784ba5df74bc8e0e1618f3c7bb927bcda5bbc4ba322a cebb2af2b4bb2fed087214da294dbd8ffbbdbd162466f76aaab9c822aa73bfec991b6b7cefb9c98c3434300afcb32ac0

    Section II: (client random&keys are as same as that in section I)

    [work 1][flow] ssn 1 policy SP_01 strm 0 dir 0 subclient 0 client 32 ssl handshake(172.30.212.177:1074->10.159.37.1:7002) session data: client random 61e7b3d0b841a4abd371199cd32e23b6ee89f405c7aabc2a28997964ed01a677, master key e392e420f25bfb69cfae878c05c098dcea21020de21e1852c44701edfb25a28677a4b3677c3aa054352643bcad171a70

    [work 1][flow] ssn 1 policy SP_01 strm 0 dir 1 subclient 0 server 34 ssl handshake(10.159.37.1:13536->10.159.37.11:443) session data: client random bcac18831f2c2b63d8ea784ba5df74bc8e0e1618f3c7bb927bcda5bbc4ba322a, master key cebb2af2b4bb2fed087214da294dbd8ffbbdbd162466f76aaab9c822aa73bfec991b6b7cefb9c98c3434300afcb32ac0

  3. Create a wireshark key file. The key file format is as follows with content retrieved from the diagnose output.

    CLIENT_RANDOM 61e7b3d0b841a4abd371199cd32e23b6ee89f405c7aabc2a28997964ed01a677 e392e420f25bfb69cfae878c05c098dcea21020de21e1852c44701edfb25a28677a4b3677c3aa054352643bcad171a70

    CLIENT_RANDOM bcac18831f2c2b63d8ea784ba5df74bc8e0e1618f3c7bb927bcda5bbc4ba322a cebb2af2b4bb2fed087214da294dbd8ffbbdbd162466f76aaab9c822aa73bfec991b6b7cefb9c98c3434300afcb32ac0

    The first section is for client to FortiWeb and the second is for FortiWeb to back-end server.

    You can manually copy and save the client random and "pre master key" to a file, or use a Linux command to retrieve them as follows:

    For releases earlier than 6.3:

    awk '{gsub(/\,/," ")}/session data: client random/{print "CLIENT_RANDOM " $19 " " $22}' tls12_debug.log > tls12key.file

    For 6.3 and later:

    awk '{gsub(/\,/," ")}/session data: client random/{print "CLIENT_RANDOM " $21 " " $24}' tls12_debug.log > tls12key.file

    You can save the diagnose output in tls12_debug.log as above and run the command in the FortiWeb backend shell or a Linux machine.

    Sometimes running the command may run into an error:

    root@ut:/home/test# awk '{gsub(/\,/," ")}/session data: client random/{print "CLIENT_RANDOM " $21 " " $24}' tls1.2_flow.log > tls1.2_key.log

    awk: cmd. line:1: warning: regexp escape sequence `\,' is not a known regexp operator

    Use below command instead:

    awk '{gsub(/,/," ")}/session data: client random/{print "CLIENT_RANDOM " $21 " " $24}' "tls1.2_flow.log" > tls1.2_key.file

  4. Set wireshark: edit > preference > protocols > TLS: choose the key file “tls1.2_key.file” from "(Pre)-Master-Secret log filename". Then you’ll be able to see that decrypted HTTP traffic.