Use OpenSSL to decrypt TLS session from PCAP files

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Use OpenSSL to decrypt TLS session from PCAP files

Oren Shpigel
Hi, 
I generated a PCAP file with TLS session, and I have the matching private key used by my HTTPS server.
The TLS session is not using DH for key exchange, so it should be possible to decrypt.
I know OpenSSL can be used to connect to a socket to "actively" handle the TLS session, but is there a way to "passively" decode and decrypt a session?
How can I "feed" the packets (both directions) into the OpenSSL library?

Thanks!
Reply | Threaded
Open this post in threaded view
|

RE: Use OpenSSL to decrypt TLS session from PCAP files

Dr. Matthias St. Pierre

Do you need to integrate the decryption into your own software, or are you just looking for a possibility to monitor and view the traffic?

If it’s the latter, try and take a look at the SSL decryption support that Wireshark provides.

 

https://wiki.wireshark.org/TLS

https://www.comparitech.com/net-admin/decrypt-ssl-with-wireshark/

 

 

hth,

Matthias

 

Disclaimer: I haven’t used it for TLS myself, only for IPsec, and I can’t tell how up-to-date it is, in particular whether it is TLS 1.3 ready.

 

From: openssl-users <[hidden email]> On Behalf Of Oren Shpigel
Sent: Tuesday, December 8, 2020 3:15 PM
To: [hidden email]
Subject: Use OpenSSL to decrypt TLS session from PCAP files

 

Hi, 

I generated a PCAP file with TLS session, and I have the matching private key used by my HTTPS server.
The TLS session is not using DH for key exchange, so it should be possible to decrypt.
I know OpenSSL can be used to connect to a socket to "actively" handle the TLS session, but is there a way to "passively" decode and decrypt a session?
How can I "feed" the packets (both directions) into the OpenSSL library?

Thanks!


smime.p7s (10K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Use OpenSSL to decrypt TLS session from PCAP files

Oren Shpigel
Hi, thanks for the answer.

I know wireshark and ssldump have this capability, but I'm looking for a way to do it in my own software in C++, (using OpenSSL, if possible, but open to other suggestions as well).

On Tue, Dec 8, 2020 at 4:32 PM Dr. Matthias St. Pierre <[hidden email]> wrote:

Do you need to integrate the decryption into your own software, or are you just looking for a possibility to monitor and view the traffic?

If it’s the latter, try and take a look at the SSL decryption support that Wireshark provides.

 

https://wiki.wireshark.org/TLS

https://www.comparitech.com/net-admin/decrypt-ssl-with-wireshark/

 

 

hth,

Matthias

 

Disclaimer: I haven’t used it for TLS myself, only for IPsec, and I can’t tell how up-to-date it is, in particular whether it is TLS 1.3 ready.

 

 

NCP engingeering GmbH Dr. Matthias St. Pierre

Senior Software Engineer
[hidden email]
Phone: +49 911 9968-0
www.ncp-e.com


Follow us on:
 Facebook | Twitter | Xing | YouTube | LinkedIn

Headquarters Germany: NCP engineering GmbH • Dombuehler Str. 2 • 90449 • Nuremberg
North American HQ: NCP engineering Inc. • 601 Cleveland Str., Suite 501-25 • Clearwater, FL 33755

Authorized representatives: Peter Soell, Patrick Oliver Graf, Beate Dietrich
Registry Court: Lower District Court of Nuremberg
Commercial register No.: HRB 7786 Nuremberg, VAT identification No.: DE 133557619

This e-mail message including any attachments is for the sole use of the intended recipient(s) and may contain privileged or confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply e-mail and delete the original message and destroy all copies thereof.

From: openssl-users <[hidden email]> On Behalf Of Oren Shpigel
Sent: Tuesday, December 8, 2020 3:15 PM
To: [hidden email]
Subject: Use OpenSSL to decrypt TLS session from PCAP files

 

Hi, 

I generated a PCAP file with TLS session, and I have the matching private key used by my HTTPS server.
The TLS session is not using DH for key exchange, so it should be possible to decrypt.
I know OpenSSL can be used to connect to a socket to "actively" handle the TLS session, but is there a way to "passively" decode and decrypt a session?
How can I "feed" the packets (both directions) into the OpenSSL library?

Thanks!

Reply | Threaded
Open this post in threaded view
|

Re: Use OpenSSL to decrypt TLS session from PCAP files

Matt Caswell-2


On 08/12/2020 15:28, Oren Shpigel wrote:
> Hi, thanks for the answer.
>
> I know wireshark and ssldump have this capability, but I'm looking for a
> way to do it in my own software in C++, (using OpenSSL, if possible, but
> open to other suggestions as well).

Unfortunately OpenSSL does not support this capability. It obviously
supports all the required low-level crypto primitives to do it - but you
would have to put them together yourself, as well as do all the packet
parsing, etc. This would be ... difficult. :-)

Matt


>
> On Tue, Dec 8, 2020 at 4:32 PM Dr. Matthias St. Pierre
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Do you need to integrate the decryption into your own software, or
>     are you just looking for a possibility to monitor and view the
>     traffic?____
>
>     If it’s the latter, try and take a look at the SSL decryption
>     support that Wireshark provides. ____
>
>     __ __
>
>     https://wiki.wireshark.org/TLS____
>
>     https://www.comparitech.com/net-admin/decrypt-ssl-with-wireshark/____
>
>     __ __
>
>     __ __
>
>     hth,____
>
>     Matthias____
>
>     __ __
>
>     Disclaimer: I haven’t used it for TLS myself, only for IPsec, and I
>     can’t tell how up-to-date it is, in particular whether it is TLS 1.3
>     ready.____
>
>     __ __
>
>      
>
>     *NCP engingeering GmbH* ** *Dr. Matthias St. Pierre*
>
>     Senior Software Engineer
>     [hidden email] <mailto:[hidden email]>
>     Phone: +49 911 9968-0
>     www.ncp-e.com <http://www.ncp-e.com>
>
>     *
>     Follow us on:* Facebook <https://www.facebook.com/NCPengineering> |
>     Twitter <https://twitter.com/NCP_engineering> | Xing
>     <https://www.xing.com/companies/ncpengineeringgmbh> | YouTube
>     <https://www.youtube.com/user/NCPengineeringGmbH> | LinkedIn
>     <http://www.linkedin.com/company/ncp-engineering-inc.?trk=cws-cpw-coname-0-0>
>
>     *Headquarters Germany: *NCP engineering GmbH • Dombuehler Str. 2 •
>     90449 • Nuremberg
>     *North American HQ:* NCP engineering Inc. • 601 Cleveland Str.,
>     Suite 501-25 • Clearwater, FL 33755
>
>     Authorized representatives: Peter Soell, Patrick Oliver Graf, Beate
>     Dietrich
>     Registry Court: Lower District Court of Nuremberg
>     Commercial register No.: HRB 7786 Nuremberg, VAT identification No.:
>     DE 133557619
>
>     This e-mail message including any attachments is for the sole use of
>     the intended recipient(s) and may contain privileged or confidential
>     information. Any unauthorized review, use, disclosure or
>     distribution is prohibited. If you are not the intended recipient,
>     please immediately contact the sender by reply e-mail and delete the
>     original message and destroy all copies thereof.
>
>     <https://www.ncp-e.com/de/aktuelles/events/veranstaltungen><https://www.ncp-e.com/de/aktuelles/events/veranstaltungen>
>
>
>     *From**:*openssl-users <[hidden email]
>     <mailto:[hidden email]>> *On Behalf Of *Oren Shpigel
>     *Sent:* Tuesday, December 8, 2020 3:15 PM
>     *To:* [hidden email] <mailto:[hidden email]>
>     *Subject:* Use OpenSSL to decrypt TLS session from PCAP files____
>
>     __ __
>
>     Hi, ____
>
>     I generated a PCAP file with TLS session, and I have the matching
>     private key used by my HTTPS server.
>     The TLS session is not using DH for key exchange, so it should be
>     possible to decrypt.
>     I know OpenSSL can be used to connect to a socket to "actively"
>     handle the TLS session, but is there a way to "passively" decode and
>     decrypt a session?
>     How can I "feed" the packets (both directions) into the OpenSSL
>     library?____
>
>     Thanks!____
>
Reply | Threaded
Open this post in threaded view
|

Re: Use OpenSSL to decrypt TLS session from PCAP files

John Baldwin
On 12/8/20 7:46 AM, Matt Caswell wrote:

>
>
> On 08/12/2020 15:28, Oren Shpigel wrote:
>> Hi, thanks for the answer.
>>
>> I know wireshark and ssldump have this capability, but I'm looking for a
>> way to do it in my own software in C++, (using OpenSSL, if possible, but
>> open to other suggestions as well).
>
> Unfortunately OpenSSL does not support this capability. It obviously
> supports all the required low-level crypto primitives to do it - but you
> would have to put them together yourself, as well as do all the packet
> parsing, etc. This would be ... difficult. :-)

You could use a memory BIO or the like to feed the reconstructed data
stream into to handle the TLS bits though?  You are still stuck with
writing your own TCP stack (effectively)?  I think openvpn does something
like this when I looked (it used memory BIOs to and then manually
read/wrote their contents on its tunnel socket).

--
John Baldwin