Marek Skrobacki

Decrypting SSL with Wireshark

Today I needed to troubleshoot a problem with some of the HTTPS requests being “lost” at the CSS loadbalancer during SSL termination. The problem was very weirdbecause it happened only if the request has been made using Firefox. Initially I was hoping that it will be a server or application level issue, but it turned out not to be the case. I could see packets going out of my machine and hitting the ...

Ssl Https Wireshark Decrypting Ssl Troubleshooting

Marek Skrobacki

Too sensitive and jumpy ALPS touchpad on Arch Linux in Dell E6320

Just got my new E6320 dell laptop. I was a long time user of E6420 machine but decided to swap it for something that is bit smaller. Of course I have started with Arch installation and almost everything started working out of the box. The only thing I was worried about was touchpad - it was really difificult to find a proper solution because of hundreds of other bugs (like this]) that I’ve ...

Alps Arch Linux Dell Touchpad E6320

Marek Skrobacki

Loadbalancing based on header on Brocade ADX

Goal We have three servers. For sake of simplicity let’s name them lx11, lx12 and lx13. Our goal is to have standard loadbalancing VIP (round-robin), but we need ability to force the connection to go to a specific server by setting appropriate header value in a HTTP request. Assumptions Real servers are configured and alive. All of them have their server-id assigned. In our example its 1218, 1211 and 1213. Solution Verify if ...

Http Header Loadbalancing Brocade Header Loadbalancing Adx

Marek Skrobacki

F5 BigIP - if your box fails to activate license first time

If you have a brand new F5 box that somehow refuses to activate the license and it has not been activated before, check what is in the /config/bigip.license file. If it’s empty and activation through GUI fails with “lost connection” prompt, you have to revert to using CLI. Login to CLI Check what is the Base Registration Key for your box by executing following command # cat /config/RegKey.license ...

Tmsh License Activation

Marek Skrobacki

SSH: Connecting through HTTP proxy

If your proxy server supports CONNECT method, you actually can use this functionality to connect with SSH protocol. This is very useful if the servers you are connecting to are located in restricted network and the only unrestricted access is through bastion/jump host. Most people just login to the bastion host through SSH and then start SSH client to their destination device from there. While it certainly works, it takes too much time, especially ...

Marek Skrobacki

F5 SSH vulnerability and how to check if you are affected

Following recent F5 SSH vulnerability disclosure, I was forced to quickly identify which of my devices are actually vulnerable and need patching. I started looking at my options and it turned out that easiest way to find out which boxes need some loving was to try exploiting them. It took me just a moment to locate dodgy private SSH key on BigIP’s filesystem. Once I had that I was able to login to ...

Paraproxy Paramiko

Marek Skrobacki

Cookie based persistence maintained between HTTP and HTTPS on the F5

Problem Customer has pretty standard eCommerce site - end-users are browsing the shop using HTTP and while they are ready to purchase, they go to checkout using HTTPS. HTTPS is offloaded to the BigIP, so catch-all cannot be used. Also, customer is not happy to use source IP based persistence because of inconsistencies in load distribution across the servers. The real problem here is that BigIP does not allow you to maintain persistence when using ...