<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi Oliver<br><br>When I say ssldump, I mean the version that is here <http://www.rtfm.com/ssldump/> - I can feed it the key and have it decrypt the session if that is what I want; it's quite a handy piece of software that I frequently use together with tcpdump.<br><br><blockquote type="cite">The big Q is what type of traffic are you talking about? Who is doing the SSL termination? Is it a WSM-SSL or a SRVC-SSL module...<br></blockquote><br><br>The SSL termination is carried out by the ServerIron's WSM-SSL module. This can be verified from the output from the ssldump running on the test machine:<br><br><snip><br>New TCP connection #1: 10.0.1.163(49757) <-> 10.0.0.120(636)<br>1    0.0003 (0.0003)  C>S  TCP FIN<br>1    0.0007 (0.0004)  S>C  TCP FIN<br>New TCP connection #2: 10.0.1.163(49758) <-> 10.0.0.120(636)<br>2 1  0.0008 (0.0008)  C>S SSLv2 compatible client hello<br> Version 3.1<br> cipher suites<br> Unknown value 0x39<br> Unknown value 0x38<br> Unknown value 0x35<br> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA<br> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA<br> TLS_RSA_WITH_3DES_EDE_CBC_SHA<br> SSL2_CK_3DES<br> Unknown value 0x33<br> Unknown value 0x32<br> Unknown value 0x2f<br> SSL2_CK_RC2<br> TLS_RSA_WITH_RC4_128_SHA<br> TLS_RSA_WITH_RC4_128_MD5<br> SSL2_CK_RC4<br> TLS_DHE_RSA_WITH_DES_CBC_SHA<br> TLS_DHE_DSS_WITH_DES_CBC_SHA<br> TLS_RSA_WITH_DES_CBC_SHA<br> SSL2_CK_DES<br> TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA<br> TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA<br> TLS_RSA_EXPORT_WITH_DES40_CBC_SHA<br> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5<br> SSL2_CK_RC2_EXPORT40<br> TLS_RSA_EXPORT_WITH_RC4_40_MD5<br> SSL2_CK_RC4_EXPORT40<br>2 2  0.0015 (0.0006)  S>C  Handshake<br>     ServerHello<br>       Version 3.1<br>       session_id[0]=<br><br>       cipherSuite         Unknown value 0x35<br>       compressionMethod                   NULL<br>2 3  0.0019 (0.0003)  S>C  Handshake<br>     Certificate<br>2 4  0.0019 (0.0000)  S>C  Handshake<br>     ServerHelloDone<br>2 5  0.0052 (0.0033)  C>S  Handshake<br>     ClientKeyExchange<br>2 6  0.0052 (0.0000)  C>S  ChangeCipherSpec<br>2 7  0.0052 (0.0000)  C>S  Handshake<br>2 8  0.0075 (0.0023)  S>C  ChangeCipherSpec<br>2 9  0.0075 (0.0000)  S>C  Handshake<br>2 10 0.0084 (0.0008)  C>S  application_data<br>2 11 0.0084 (0.0000)  C>S  application_data<br>2 12 0.0097 (0.0013)  S>C  application_data<br>2 13 0.0101 (0.0003)  C>S  application_data<br>2 14 0.0101 (0.0000)  C>S  application_data<br>2 15 0.0102 (0.0001)  C>S  Alert<br>2    0.0104 (0.0001)  C>S  TCP FIN<br></snip><br><br>So, in this, the test machine 10.0.1.163 is making a request to the virtual IP of 10.0.0.120 over a SSL/TLS session and all is fine as far as I can tell (my original query is now solved). The 10.0.0.120 is listening on the LDAPS port and then passes to the real server on the backend that is listening on the LDAP port  (e.g. bind ldaps ldap1 1636 real-port ldap).<br><br>I'll have another look over the docs as it is clearly something that I am doing wrong as I am sure SSL debug info should be able to be logged to the console on the WSM.<br><br>Thanks for your help so far,<br><br>Mike<br><br>On 27 Jun 2008, at 14:46, Oliver Adam wrote:<br><br><blockquote type="cite">You have mentioned the sessions got terminated at the SI. Looking at your email below you have said: using ssldump on a test maschine. Using ssldump on a test machine should not help you in case SSL traffic is getting terminated at the SI. The big Q is what type of traffic are you talking about? Who is doing the SSL termination? Is it a WSM-SSL or a SRVC-SSL module...<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">R, Oliver<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">At 11:15 27.06.2008, Mike Lott wrote:<br></blockquote><blockquote type="cite"><blockquote type="cite">Hi<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Thanks both for your input.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">I ended up compiling ssldump on the test machine, running an ssh<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">session to it, and monitoring the login process that way.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">I am, however, now intrigued as to why I wasn't getting any SSL debug<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">output from the WSM...<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Mike<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">On 20 Jun 2008, at 16:49, Wouter Prins wrote:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Make a mirrorport and setup wireshark with the private key you<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">imported on<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">the SI to view what's going on?<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">-----Original Message-----<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">From: foundry-nsp-bounces@puck.nether.net<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">[mailto:foundry-nsp-bounces@puck.nether.net] On Behalf Of Mike Lott<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Sent: Friday, June 20, 2008 4:15 PM<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">To: foundry-nsp@puck.nether.net<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Subject: Re: [f-nsp] LDAPS debuging<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Hi Oliver<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">What type of traffic are you trying to debug? Is it traffic which is<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">using SSL acceleration at the ServerIron or is it something else?<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">SSL termination is on the SI (there is no proxing to backend real<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">servers). I'd like to be able to view the transactions as the SSL<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">sessions are set up. Am I going about this the wrong way?<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Mike<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">On 20 Jun 2008, at 15:03, Oliver Adam wrote:<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">What type of traffic are you trying to debug? Is it traffic which is<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">using SSL acceleration at the ServerIron or is it something else?<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">The command below is for SSL accelerated traffic only.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">R, Oliver<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">At 12:48 20.06.2008, Mike Lott wrote:<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Hi Oliver<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Thanks for the reply.<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">I've tried the following commands, but when I make HTTPS connections<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">or LDAPS connections to the ServerIron, nothing is output to the<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">console, but my HTTPS sessions are fine (in that they complete):<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">1/1#wsm dm ssldump filter 1 spa 10.0.1.160 (my IP)<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">1/1#wsm dm ssldump mode detail<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">1/1#wsm dm ssldump both<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">I've verified that the active BP is in slot 1 and we only have WSM<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">modules with one processor. I'd expect to see something being<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">written<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">out as there are a number of active SSL connections at the time from<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">my IP address.<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">We are currently using 09.5.02cTD2.<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Thanks,<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Mike<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">On 20 Jun 2008, at 08:23, Oliver wrote:<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Have you checked rconsole commands like<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">wsm dm ssldump bried<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">wsm dm ssldump detailed<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">wsm dm ssldump decrypt<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">and some others? Have a look at the Security Guide of TrafficWorks<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">10.2.01 or 10.2.00...<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">You have to move to the correct processor first of all (rconsole x<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">y).<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">X = slot<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Y = processor<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">R, Oliver<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">At 09:06 20.06.2008, Mike Lott wrote:<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">on the ServerIron before moving my<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">eyes to the backend servers. Any clues?<br></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">_______________________________________________<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">foundry-nsp mailing list<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">foundry-nsp@puck.nether.net<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">http://puck.nether.net/mailman/listinfo/foundry-nsp<br></blockquote></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><br></body></html>