Hi,
I generated a PCAP file with TLS session, and I have the matching private key used by my HTTPS server. The TLS session is not using DH for key exchange, so it should be possible to decrypt. I know OpenSSL can be used to connect to a socket to "actively" handle the TLS session, but is there a way to "passively" decode and decrypt a session? How can I "feed" the packets (both directions) into the OpenSSL library? Thanks! |
Do you need to integrate
the decryption into your own software, or are you just looking for a possibility to monitor and view the traffic? If it’s the latter, try and take a look at the SSL decryption
support that Wireshark provides. https://wiki.wireshark.org/TLS https://www.comparitech.com/net-admin/decrypt-ssl-with-wireshark/ hth, Matthias Disclaimer: I haven’t used it for TLS myself, only for IPsec,
and I can’t tell how up-to-date it is, in particular whether it is TLS 1.3 ready. From: openssl-users
<[hidden email]> On Behalf Of Oren Shpigel Hi, I generated a PCAP file with TLS session, and I have the matching private key used by my HTTPS server. Thanks! |
Hi, thanks for the answer. I know wireshark and ssldump have this capability, but I'm looking for a way to do it in my own software in C++, (using OpenSSL, if possible, but open to other suggestions as well). On Tue, Dec 8, 2020 at 4:32 PM Dr. Matthias St. Pierre <[hidden email]> wrote:
|
On 08/12/2020 15:28, Oren Shpigel wrote: > Hi, thanks for the answer. > > I know wireshark and ssldump have this capability, but I'm looking for a > way to do it in my own software in C++, (using OpenSSL, if possible, but > open to other suggestions as well). Unfortunately OpenSSL does not support this capability. It obviously supports all the required low-level crypto primitives to do it - but you would have to put them together yourself, as well as do all the packet parsing, etc. This would be ... difficult. :-) Matt > > On Tue, Dec 8, 2020 at 4:32 PM Dr. Matthias St. Pierre > <[hidden email] <mailto:[hidden email]>> wrote: > > Do you need to integrate the decryption into your own software, or > are you just looking for a possibility to monitor and view the > traffic?____ > > If it’s the latter, try and take a look at the SSL decryption > support that Wireshark provides. ____ > > __ __ > > https://wiki.wireshark.org/TLS____ > > https://www.comparitech.com/net-admin/decrypt-ssl-with-wireshark/____ > > __ __ > > __ __ > > hth,____ > > Matthias____ > > __ __ > > Disclaimer: I haven’t used it for TLS myself, only for IPsec, and I > can’t tell how up-to-date it is, in particular whether it is TLS 1.3 > ready.____ > > __ __ > > > > *NCP engingeering GmbH* ** *Dr. Matthias St. Pierre* > > Senior Software Engineer > [hidden email] <mailto:[hidden email]> > Phone: +49 911 9968-0 > www.ncp-e.com <http://www.ncp-e.com> > > * > Follow us on:* Facebook <https://www.facebook.com/NCPengineering> | > Twitter <https://twitter.com/NCP_engineering> | Xing > <https://www.xing.com/companies/ncpengineeringgmbh> | YouTube > <https://www.youtube.com/user/NCPengineeringGmbH> | LinkedIn > <http://www.linkedin.com/company/ncp-engineering-inc.?trk=cws-cpw-coname-0-0> > > *Headquarters Germany: *NCP engineering GmbH • Dombuehler Str. 2 • > 90449 • Nuremberg > *North American HQ:* NCP engineering Inc. • 601 Cleveland Str., > Suite 501-25 • Clearwater, FL 33755 > > Authorized representatives: Peter Soell, Patrick Oliver Graf, Beate > Dietrich > Registry Court: Lower District Court of Nuremberg > Commercial register No.: HRB 7786 Nuremberg, VAT identification No.: > DE 133557619 > > This e-mail message including any attachments is for the sole use of > the intended recipient(s) and may contain privileged or confidential > information. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient, > please immediately contact the sender by reply e-mail and delete the > original message and destroy all copies thereof. > > <https://www.ncp-e.com/de/aktuelles/events/veranstaltungen><https://www.ncp-e.com/de/aktuelles/events/veranstaltungen> > > > *From**:*openssl-users <[hidden email] > <mailto:[hidden email]>> *On Behalf Of *Oren Shpigel > *Sent:* Tuesday, December 8, 2020 3:15 PM > *To:* [hidden email] <mailto:[hidden email]> > *Subject:* Use OpenSSL to decrypt TLS session from PCAP files____ > > __ __ > > Hi, ____ > > I generated a PCAP file with TLS session, and I have the matching > private key used by my HTTPS server. > The TLS session is not using DH for key exchange, so it should be > possible to decrypt. > I know OpenSSL can be used to connect to a socket to "actively" > handle the TLS session, but is there a way to "passively" decode and > decrypt a session? > How can I "feed" the packets (both directions) into the OpenSSL > library?____ > > Thanks!____ > |
On 12/8/20 7:46 AM, Matt Caswell wrote:
> > > On 08/12/2020 15:28, Oren Shpigel wrote: >> Hi, thanks for the answer. >> >> I know wireshark and ssldump have this capability, but I'm looking for a >> way to do it in my own software in C++, (using OpenSSL, if possible, but >> open to other suggestions as well). > > Unfortunately OpenSSL does not support this capability. It obviously > supports all the required low-level crypto primitives to do it - but you > would have to put them together yourself, as well as do all the packet > parsing, etc. This would be ... difficult. :-) You could use a memory BIO or the like to feed the reconstructed data stream into to handle the TLS bits though? You are still stuck with writing your own TCP stack (effectively)? I think openvpn does something like this when I looked (it used memory BIOs to and then manually read/wrote their contents on its tunnel socket). -- John Baldwin |
Free forum by Nabble | Edit this page |