内容简介:When debugging a program that uses LibreSSL, it can be useful to see decrypted network traffic. Wireshark canWeb browsers, from their Netscape provenance, will log session keys to a file specified by the environment variable
LibreSSL is a fork of OpenSSL that improves code quality and security. It was originally developed for OpenBSD, but has since been ported to several platforms (Linux, *BSD, HP-UX, Solaris, macOS, AIX, Windows) and is now the default TLS provider for some of them.
When debugging a program that uses LibreSSL, it can be useful to see decrypted network traffic. Wireshark can decrypt TLS if you provide the secret session key, however the session key is difficult to obtain. It is different from the private key used for functions like tls_config_set_keypair_file()
, which merely secures the initial TLS handshake with asymmetric cryptography. The handshake establishes the session key between client and server using a method such as Diffie-Hellman (DH). The session key is then used for efficient symmetric cryptography for the remainder of the communication.
Web browsers, from their Netscape provenance, will log session keys to a file specified by the environment variable SSLKEYLOGFILE
when present. Netscape packaged this behavior in its Network Security Services library.
OpenSSL and LibreSSL don’t implement that NSS behavior, although OpenSSL allows code to register a callback for when TLS key material is generated or received. The callback receives a string in the NSS Key Log Format .
In addition to refactoring OpenSSL code, LibreSSL offers a simplified TLS interface called libtls . The simplicity makes it more likely that applications will use it safely. However, I couldn’t find an easy way to log session keys for my libtls connection.
I found a somewhat hacky way to do it, and asked their development list whether there’s a better way. From the lack of response, I assume there isn’t yet. Posting the solution here in case it’s helpful for anyone else.
This module provides a tls_dump_keylog()
function that appends to the file specified in SSLKEYLOGFILE
.
#include <stdbool.h> #include <stdio.h> #include <stdlib.h> #include <openssl/ssl.h> /* A copy of the tls structure from libtls/tls_internal.h * * This is a fragile hack! When the structure changes in libtls * then it will be Undefined Behavior to alias it with this. * See C99 section 6.5 (Expressions), paragraph 7 */ struct tls_internal { struct tls_config *config; struct tls_keypair *keypair; struct { char *msg; int num; int tls; } error; uint32_t flags; uint32_t state; char *servername; int socket; SSL *ssl_conn; SSL_CTX *ssl_ctx; struct tls_sni_ctx *sni_ctx; X509 *ssl_peer_cert; STACK_OF(X509) *ssl_peer_chain; struct tls_conninfo *conninfo; struct tls_ocsp *ocsp; tls_read_cb read_cb; tls_write_cb write_cb; void *cb_arg; }; static void printhex(FILE *fp, const unsigned char* s, size_t len) { while (len-- > 0) fprintf(fp, "%02x", *s++); } bool tls_dump_keylog(struct tls *tls) { FILE *fp; SSL_SESSION *sess; unsigned int len_key, len_id; unsigned char key[256]; const unsigned char *id; const char *path = getenv("SSLKEYLOGFILE"); if (!path) return false; /* potentially nonstrict aliasing */ sess = SSL_get_session(((struct tls_internal*)tls)->ssl_conn); if (!sess) { fprintf(stderr, "Failed to get session for TLS\n"); return false; } len_key = SSL_SESSION_get_master_key(sess, key, sizeof key); id = SSL_SESSION_get_id(sess, &len_id); if ((fp = fopen(path, "a")) == NULL) { fprintf(stderr, "Unable to write keylog to '%s'\n", path); return false; } fputs("RSA Session-ID:", fp); printhex(fp, id, len_id); fputs(" Master-Key:", fp); printhex(fp, key, len_key); fputs("\n", fp); fclose(fp); return true; }
To use the logfile in Wireshark, right click on a TLS packet, and select Protocol Preferences → (Pre)-Master-Secret log filename .
(Pre)-Master-Secret log filename menu item
In the resulting dialog, add the filename to the logfile. Then you can view the decrypted traffic with Follow → TLS Stream .
Follow TLS stream menu item
以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网
猜你喜欢:本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
代码大全(第2版)
[美] 史蒂夫·迈克康奈尔 / 金戈、汤凌、陈硕、张菲 译、裘宗燕 审校 / 电子工业出版社 / 2006-3 / 128.00元
第2版的《代码大全》是著名IT畅销书作者史蒂夫·迈克康奈尔11年前的经典著作的全新演绎:第2版不是第一版的简单修订增补,而是完全进行了重写;增加了很多与时俱进的内容。这也是一本完整的软件构建手册,涵盖了软件构建过程中的所有细节。它从软件质量和编程思想等方面论述了软件构建的各个问题,并详细论述了紧跟潮流的新技术、高屋建瓴的观点、通用的概念,还含有丰富而典型的程序示例。这本书中所论述的技术不仅填补了初......一起来看看 《代码大全(第2版)》 这本书的介绍吧!