How to decrypt L7 HTTPS Virtual Server with TLS1.3 traffic

This article describes how to decrypt the L7 HTTPS virtual server with TLS1.3 traffic.

Scope

FortiADC, FortiADC-VM

Solution

Step 1: Prepare debugging commands and SSH to FortiADC (log session to a file):

diagnose debug module httproxy set-filter vsname=<vs> <----- Replace <vs> with respective virtual server name
diagnose debug module httproxy ssl_ae_info
diagnose debug module ssl-of-httproxy all set
diagnose debug enable

Step 2: Packet capture:

• Define Interface, Host IP/Netmask, Port, and other settings.
• Possible to capture both frontend and backend traffic depending on the filters used.

Step 3: Simulate access to L7 HTTPS VS while debug and packet capture running at the same time.

Sample of TLS1.3 keys output:

Step 4: Once complete, disable debugging using below commands:

diagnose debug module httproxy unset-filter
diagnose debug module httproxy all unset
diagnose debug disable

Step 5: Stop packet capture and download the .pcap file

Note: If ‘diagnose debug module httproxy all set’ is used, debugging outputs include all features debugging. Use the below command in a Linux machine to filter TLS1.3 keys in the debug file.

awk '/EXPORTER_SECRET|SERVER_HANDSHAKE_TRAFFIC_SECRET|SERVER_TRAFFIC_SECRET_0|CLIENT_HANDSHAKE_TRAFFIC_SECRET|CLIENT_TRAFFIC_SECRET_0/{print $1" "$2" "$3}' tls1.3_flow.log > tls1.3_key.file <----- Replace 'tls1.3_flow.log' with the respective source debug file.

Step 6: Download the packet capture file and open the file with Wireshark.

Encrypted HTTP content packet capture:

Step 7: Go under Edit > Preferences:

Step 8: In the new window, select Protocols > TLS:

Step 9: Under (Pre)-Master-Secret log filename > Browse, select TLS1.3 keys file and ‘OK’.

Step 10: Decrypted HTTP content packet capture: