Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Decoding TLS using sslkeylogfile

$
0
0

So you've just finished upgrading your systems to HTTPS Everywhere or maybe you've just converted all of your "legacy" APIs (thrift is so last week) to gRPC or maybe (my use case) you've got a new CEO who keeps getting unexplained broken pages uncomfortably often and it's put a multi-thousand person engineering org into high alert and you need to peek at network traffic to figure out what CDN is barfing and why.

Doesn't matter how you got here, you're here because you've decided you want to decrypt some TLS traffic and you own either the client or the server and you have some PCAP files in the middle and maybe you don't have access to the key. Is this even possible? You might think the answer is no. After all isn't that what forward secrecy is all about? Preventing you from decrypting intercepted traffic even if you have the private key?

Well, sort of. Except if you have a little bit of help from the client or the server's TLS implementation you can ask your process to dump the keys to the kingdom for use in later decoding.

There is a semi-standardized way of getting TLS secrets out of an app and into wireshark: NSS Key Log . NSS stands for "Netscape Security Services". Key logging is generally triggered by exporting the SSLKEYLOGFILE environment variable, but in some newer implementations (such as boringssl) require explicit setup, so activation can be app specific. For example Chrome has a flag called --ssl-key-log-file and Golang's crypto/tls Config struct has an optional KeyLogWriter attribute.

However you get a keylogfile, once you get one you can combine it with a pcap file and decode using wireshark .

Let's walk through an example. You are going to want to run the next 2 commands simultaneously.

Start a pcap:

tcpdump -w out.pcap port 443

Load your favorite TLS enabled website and take a screenshot.

chromium-browser --screenshot --ssl-key-log-file=/tmp/sslkeylog.txt --headless 'https://www.google.com/'

Let's open up this packet dump in wireshark.


Decoding TLS using sslkeylogfile

As you can see, there's nothing but encrypted "application data". Indecipherable until we configure a key log file.


Decoding TLS using sslkeylogfile

Now we can view the decoded http(2) content:


Decoding TLS using sslkeylogfile

If you are using golang, see the example for how to generate a client.


Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles