F5 SSL Sideband Configuration Incompatibility with Riverbed AppResponse for Full SSL Handshake Capture
Issue
When using F5's SSL sideband virtual server configuration with Riverbed AppResponse, the full SSL/TLS handshake required for Perfect Forward Secrecy (PFS) decryption is not captured. This prevents AppResponse from properly decrypting and analyzing PFS-enabled traffic.
Solution
Cause:
Riverbed AppResponse cannot capture the complete SSL/TLS handshake information necessary for PFS decryption and analysis, limiting its ability to provide full visibility into encrypted traffic.
Solution:
To properly capture the full SSL handshake for PFS decryption with Riverbed AppResponse:
- Late-stage traffic replication: The F5 SSL sideband virtual server replicates traffic after the initial SSL/TLS handshake has been processed by the F5 device.
- Incomplete handshake data: The replicated traffic doesn't include the crucial early stages of the handshake, particularly the key exchange process essential for PFS.
- Post-establishment capture: Replication typically starts after the SSL/TLS session has been established, missing the critical negotiation phase where PFS parameters are set.
Riverbed AppResponse cannot capture the complete SSL/TLS handshake information necessary for PFS decryption and analysis, limiting its ability to provide full visibility into encrypted traffic.
Solution:
To properly capture the full SSL handshake for PFS decryption with Riverbed AppResponse:
- Implement traffic capture at the F5's ingress point:
- Configure a SPAN or mirror port on the switch where traffic enters the F5 device.
- Connect Riverbed AppResponse to this SPAN/mirror port.
- If ingress capture is not possible, consider these alternatives:
- Use F5's SSL Orchestrator to decrypt traffic and send a copy to AppResponse.
- Implement a network TAP before the F5 device to capture all traffic, including handshakes.
- Configure AppResponse for PFS decryption:
- Follow the steps outlined in KB S34427 to set up PFS decryption in AppResponse.
- Ensure "Enable buffering for PFS decryption" is checked in the AppResponse Web UI.
- If using the REST API method for providing master secrets:
- Implement a solution to extract and forward the Client Random and Master Secret values to AppResponse using the REST API as described in KB S34427.
Environment
AppResponse 11
PFS
PFS
Duplicate?
N
Related Bugs
Attachments
Related Files
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Can't find an answer? Create a case