lost and found ( for me ? ): ssldump

Showing posts with label ssldump. Show all posts

CentOS6 64bit : install ssldump 0.9b3

# cat /etc/centos-release

CentOS release 6.3 (Final)

# uname -ri

2.6.32-279.2.1.el6.x86_64 x86_64

# wget ftp.scientificlinux.org/linux/scientific/6.0/x86_64/os/Packages/epel-release-6-5.noarch.rpm

# rpm -ivh epel-release-6-5.noarch.rpm

# yum update -y

# yum install ssldump

# ssldump -v

ssldump 0.9b3

Copyright (C) 1998-2001 RTFM, Inc.

All rights reserved.

Compiled with OpenSSL: decryption enabled

# ssldump -i eth0 port 443

New TCP connection #1: 192.168.10.15(44718) <-> 192.168.10.35(443)

1 1 0.0008 (0.0008) C>S Handshake

     ClientHello

       Version 3.1

       cipher suites

       Unknown value 0xc014

       Unknown value 0xc00a

       TLS_DHE_RSA_WITH_AES_256_CBC_SHA

       TLS_DHE_DSS_WITH_AES_256_CBC_SHA

       Unknown value 0x88

       Unknown value 0x87

       Unknown value 0xc00f

       Unknown value 0xc005

       TLS_RSA_WITH_AES_256_CBC_SHA

       Unknown value 0x84

       Unknown value 0xc012

       Unknown value 0xc008

       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

       Unknown value 0xc00d

       Unknown value 0xc003

       TLS_RSA_WITH_3DES_EDE_CBC_SHA

       Unknown value 0xc013

       Unknown value 0xc009

       TLS_DHE_RSA_WITH_AES_128_CBC_SHA

       TLS_DHE_DSS_WITH_AES_128_CBC_SHA

       Unknown value 0x9a

       Unknown value 0x99

       Unknown value 0x45

       Unknown value 0x44

       Unknown value 0xc00e

       Unknown value 0xc004

       TLS_RSA_WITH_AES_128_CBC_SHA

       Unknown value 0x96

       Unknown value 0x41

       Unknown value 0xc011

       Unknown value 0xc007

       Unknown value 0xc00c

       Unknown value 0xc002

       TLS_RSA_WITH_RC4_128_SHA

       TLS_RSA_WITH_RC4_128_MD5

       TLS_DHE_RSA_WITH_DES_CBC_SHA

       TLS_DHE_DSS_WITH_DES_CBC_SHA

       TLS_RSA_WITH_DES_CBC_SHA

       TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

       TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

       TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

       TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

       TLS_RSA_EXPORT_WITH_RC4_40_MD5

       Unknown value 0xff

       compression methods

       1 2 0.0010 (0.0001) S>C Handshake

     ServerHello

       Version 3.1

       session_id[32]=

         de a8 c3 01 a5 8b 81 63 c4 bd 39 b5 0b 25 bc 26

         b5 8c 0d 91 cf e4 54 68 3b 3c cd 1c 62 de 0e f0

       cipherSuite         TLS_RSA_WITH_RC4_128_SHA

       compressionMethod                   NULL

1 3 0.0010 (0.0000) S>C Handshake

     Certificate

1 4 0.0010 (0.0000) S>C Handshake

     ServerHelloDone

1 5 0.0026 (0.0016) C>S Handshake

     ClientKeyExchange

1 6 0.0026 (0.0000) C>S ChangeCipherSpec

1 7 0.0026 (0.0000) C>S Handshake

1 8 0.0062 (0.0036) S>C ChangeCipherSpec

1 9 0.0062 (0.0000) S>C Handshake

1 10 0.0071 (0.0008) C>S application_data

1 11 0.0157 (0.0085) S>C application_data

1    0.0172 (0.0014) C>S TCP FIN

1    0.0172 (0.0000) S>C TCP FIN

decrypt SSL traffic using a private key.

# ssldump -i eth0 -Ad -k test-ssl.private -i eth0

New TCP connection #1: 192.168.10.15(44721) <-> 192.168.10.35(443)

1 1 0.0009 (0.0009) C>S V3.1(204) Handshake

     ClientHello

       Version 3.1

       random[32]=

         50 29 e1 75 3f d7 ae 0e 1e a7 fb 56 71 3d ea 0a

         f5 2d d6 e6 b6 1a 71 4c 86 6c 93 ab 16 4b 0e 4d

       cipher suites

       Unknown value 0xc014

       Unknown value 0xc00a

       TLS_DHE_RSA_WITH_AES_256_CBC_SHA

       TLS_DHE_DSS_WITH_AES_256_CBC_SHA

       Unknown value 0x88

       Unknown value 0x87

       Unknown value 0xc00f

       Unknown value 0xc005

       TLS_RSA_WITH_AES_256_CBC_SHA

       Unknown value 0x84

       Unknown value 0xc012

       Unknown value 0xc008

       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

       Unknown value 0xc00d

       Unknown value 0xc003

       TLS_RSA_WITH_3DES_EDE_CBC_SHA

       Unknown value 0xc013

       Unknown value 0xc009

       TLS_DHE_RSA_WITH_AES_128_CBC_SHA

       TLS_DHE_DSS_WITH_AES_128_CBC_SHA

       Unknown value 0x9a

       Unknown value 0x99

       Unknown value 0x45

       Unknown value 0x44

       Unknown value 0xc00e

       Unknown value 0xc004

       TLS_RSA_WITH_AES_128_CBC_SHA

       Unknown value 0x96

       Unknown value 0x41

       Unknown value 0xc011

       Unknown value 0xc007

       Unknown value 0xc00c

       Unknown value 0xc002

       TLS_RSA_WITH_RC4_128_SHA

       TLS_RSA_WITH_RC4_128_MD5

       TLS_DHE_RSA_WITH_DES_CBC_SHA

       TLS_DHE_DSS_WITH_DES_CBC_SHA

       TLS_RSA_WITH_DES_CBC_SHA

       TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

       TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

       TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

       TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

       TLS_RSA_EXPORT_WITH_RC4_40_MD5

       Unknown value 0xff

       compression methods

       1 2 0.0011 (0.0002) S>C V3.1(81) Handshake

     ServerHello

       Version 3.1

       random[32]=

         50 29 e1 72 d3 eb 0c b0 88 a0 95 91 23 7c 59 61

         0b 0a 00 28 6d 9a e9 7e 83 40 32 7f c9 97 be 25

       session_id[32]=

         e7 30 e6 d2 8e 15 77 b1 e0 d0 46 d6 d8 05 e1 11

         71 35 60 c2 a6 58 45 0a e9 22 5a fb 29 1b c4 80

       cipherSuite         TLS_RSA_WITH_RC4_128_SHA

       compressionMethod                   NULL

1 3 0.0011 (0.0000) S>C V3.1(799) Handshake

     Certificate

1 4 0.0011 (0.0000) S>C V3.1(4) Handshake

     ServerHelloDone

1 5 0.0027 (0.0015) C>S V3.1(262) Handshake

     ClientKeyExchange

       EncryptedPreMasterSecret[256]=

         57 e2 4f 1c 95 5d fe b8 5a 8e 30 18 b8 e8 68 38

         84 c2 65 d6 98 64 45 bd 38 42 6d e0 79 cb 7a 40

         f9 c3 65 00 4a 63 b0 9d dd 01 b5 89 43 d2 2d 68

         dd b8 93 02 d2 15 9e 5c 6c 0c 8e 70 4a cb 06 1f

         eb 26 40 1c 46 cb d0 43 2e c5 77 59 06 23 2d c5

         85 72 9c 5a eb 41 d0 0d 2a a3 52 da 09 0d 39 cb

         dd ad 1a ca 43 ba 49 be 5e a9 52 53 43 c7 9d 13

         3d 5d 47 ff ca 5e ff ab 70 87 eb 52 15 6f d1 f9

         18 af 25 f9 5a bd f9 62 31 71 61 54 9d b0 ed d7

         8d ee e5 aa a0 45 c0 de 7c 9d 22 85 4c 1c 41 ba

         60 16 ff 5b 1f 2a 84 3c fd 27 e9 5f 8a fa 19 95

         e7 ef ff d8 52 dd c8 73 7b 18 64 65 e9 54 13 92

         65 45 1b eb 7a cd 24 bb 0e 8d 10 77 c4 5c ee 9a

         92 b8 dc 70 81 bb 2e 44 04 b4 a9 76 43 f6 c6 fc

         bd 69 05 11 21 52 5b 5b 12 3d 32 18 d1 6f d6 20

         98 57 f1 e6 8c f8 a3 60 3e 4b 89 82 96 e2 6e 6b

1 6 0.0027 (0.0000) C>S V3.1(1) ChangeCipherSpec

1 7 0.0027 (0.0000) C>S V3.1(36) Handshake

     Finished

       verify_data[12]=

         b2 7c 53 3f e5 03 85 e0 43 96 a1 a9

1 8 0.0060 (0.0033) S>C V3.1(1) ChangeCipherSpec

1 9 0.0060 (0.0000) S>C V3.1(36) Handshake

     Finished

       verify_data[12]=

         9b cd b0 1a 42 8f e4 a5 40 cf 65 8e

1 10 0.0071 (0.0010) C>S V3.1(131) application_data

   ---------------------------------------------------------------

   GET / HTTP/1.0

   User-Agent: Wget/1.12 (linux-gnu)

   Accept: */*

   Host: 192.168.10.35

   Connection: Keep-Alive

   ---------------------------------------------------------------

1 11 0.0141 (0.0069) S>C V3.1(447) application_data

   ---------------------------------------------------------------

   HTTP/1.1 200 OK

   Server: Apache/2.2.15 (CentOS)

   Content-Type: text/html; charset=UTF-8

   Date: Tue, 14 Aug 2012 05:26:11 GMT

   Accept-Ranges: bytes

   ETag: "400c9-a-4c037d8b92dd1"

   Connection: Keep-Alive

   Set-Cookie: X-Mapping-eiakmicn=17EDFFA1AF4047596F35E5829DF54440; path=/

   Set-Cookie: X-Mapping-eiakmicn=17EDFFA1AF4047596F35E5829DF54440; path=/

   Last-Modified: Thu, 17 May 2012 09:13:18 GMT

   Content-Length: 10

   centos6-4

   ---------------------------------------------------------------

1    0.0160 (0.0018) C>S TCP FIN

1    0.0161 (0.0000) S>C TCP FIN

In case of Ubuntu / Mint , you can install it via apt-get , however it seems that there is a bug.

# apt-get install –y ssldump

# apt-cache policy ssldump

ssldump:

Installed: 0.9b3-4.1

Candidate: 0.9b3-4.1

Version table:

*** 0.9b3-4.1 0

       500 http://jp.archive.ubuntu.com/ubuntu/ precise/universe amd64 Packages

       100 /var/lib/dpkg/status

# ssldump -v

ssldump 0.9b3

Copyright (C) 1998-2001 RTFM, Inc.

All rights reserved

nnn , decryption is not enabled…

- ssldump bug

ssldump does not decrypt traffic

https://bugs.launchpad.net/ubuntu/+source/ssldump/+bug/1003620

In case of Fedora , you can install it via yum without adding an extra repo.

[root@fc17-note ~]# yum install -y ssldump

[root@fc17-note ~]# ssldump -v

ssldump 0.9b3

Copyright (C) 1998-2001 RTFM, Inc.

All rights reserved.

Compiled with OpenSSL: decryption enabled

BIG-IP LTM VE : How to decrypt SSL traffic on LTM with ssldump

Here’s an explanation of how to decrypt SSL traffic with ssldump which has been installed on LTM devices.

Network topology

Client – vSW – LTM – vSW – Server*2

Client , LTM and two Servers are running on ESXi.

[root@ltm1:Active] ~ # b version | head -5

Kernel:

Linux 2.6.18-164.2.1.el5.1.0.f5app

Package:

BIG-IP Version 10.1.0 3341.1084

Final Edition

[ create Virtual Servers for HTTPS ]

Before creating a Virtual Server for HTTPS , create Nodes and Pools.

Here’s a Vitual Server for HTTPS

Choose “clientssl” , which has been install on LTM by default , as SSL Profile (Client)

bigip.conf

node 192.168.0.100 {

monitor icmp

screen s1-ipv4

}

node 192.168.0.101 {

monitor icmp

screen s2-ipv4

}

pool http-ipv4 {

monitor all http

members {

192.168.0.100:http {}

192.168.0.101:http {}

}

virtual vs-https {

pool http-ipv4

destination 10.0.0.100:https

ip protocol tcp

persist cookie

profiles {

clientssl {

clientside

}

http {}

tcp {}

}

[ access to the VIP from a client ]

confirm that you could access to the VIP.

[ ssldump on LTM ]

ssldump has been installed on LTM by default.

Please note that you could decrypt SSL traffic under the following conditions.

ssldump can decrypt traffic between two hosts if the following

      two conditions are met:
             1. ssldump has the keys.
             2. Static RSA was used.

private key of “clientssl” profile is stored under /config/ssl/ssl.key directory.

[root@ltm1:Active] ~ # ssldump -k /config/ssl/ssl.key/default.key -i 1.1 port 443 -A -d

New TCP connection #1: 10.0.0.10(42572) <-> 10.0.0.100(443)

1 1 0.0011 (0.0011) C>SV3.1(89) Handshake

ClientHello

Version 3.1

random[32]=

4f 26 54 e3 a8 e1 a4 d4 a0 8c c1 11 ad a2 fe cb

c9 7f 3d ff 4b 58 65 6c 1c 28 c9 2c 4e 88 de 8c

cipher suites

Unknown value 0xff

Unknown value 0x88

Unknown value 0x87

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Unknown value 0x84

TLS_RSA_WITH_AES_256_CBC_SHA

Unknown value 0x45

Unknown value 0x44

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

Unknown value 0x96

Unknown value 0x41

TLS_RSA_WITH_RC4_128_MD5

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Unknown value 0xfeff

TLS_RSA_WITH_3DES_EDE_CBC_SHA

compression methods

NULL

1 2 0.0013 (0.0002) S>CV3.1(48) Handshake

ServerHello

Version 3.1

random[32]=

4f 26 54 e3 99 85 29 14 f9 26 a2 a2 0d 68 7f 6e

ae 49 2d 4c d0 3b af d4 7d 67 ff 83 a1 77 a3 9e

session_id[0]=

cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA

compressionMethod NULL

1 3 0.0013 (0.0000) S>CV3.1(692) Handshake

Certificate

1 4 0.0013 (0.0000) S>CV3.1(4) Handshake

ServerHelloDone

1 5 0.0375 (0.0362) C>SV3.1(134) Handshake

ClientKeyExchange

EncryptedPreMasterSecret[128]=

15 b1 e0 a9 db 90 19 49 12 82 3b e4 60 cd bf eb

5d 6a fe 05 67 05 19 1f 07 1b 8d 0d ce 9e d4 0d

2d 90 92 1a c8 5e 5d 57 18 b0 03 53 ad 19 a8 a1

17 33 e0 25 30 71 3d 30 7e 07 67 ba c3 f4 ee 36

6e d8 8a 42 5d 34 cc d1 82 30 ed 5a dc 4c 3f df

9a 9b ed 53 a6 2c 62 9b b8 0f 72 43 02 a8 1c 60

e5 aa 69 4a c7 b1 74 28 93 cb 1d dd 65 58 00 41

2a 75 fb 33 17 32 59 3f ca 35 52 54 aa 95 d3 a1

1 6 0.0375 (0.0000) C>SV3.1(1) ChangeCipherSpec

1 7 0.0375 (0.0000) C>SV3.1(48) Handshake

Finished

verify_data[12]=

97 48 73 91 a0 ea 37 d4 74 c8 9c c4

1 8 0.0408 (0.0033) S>CV3.1(170) Handshake

1 9 0.0408 (0.0000) S>CV3.1(1) ChangeCipherSpec

1 10 0.0408 (0.0000) S>CV3.1(48) Handshake

Finished

verify_data[12]=

8c 91 bd e5 93 c4 36 34 80 53 49 24

1 11 0.0419 (0.0011) C>SV3.1(416) application_data

---------------------------------------------------------------

GET / HTTP/1.1

Host: 10.0.0.100

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.24) Gecko/20111108 Red Hat/3.6.24-3.el6_1 Firefox/3.6.24

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 115

Connection: keep-alive

---------------------------------------------------------------

1 12 0.0443 (0.0023) S>CV3.1(352) application_data

---------------------------------------------------------------

HTTP/1.1 200 OK

Date: Mon, 30 Jan 2012 08:29:23 GMT

Server: Apache/2.2.15 (Scientific Linux)

Last-Modified: Mon, 05 Sep 2011 05:55:49 GMT

ETag: "443e5-6-4ac2b5ce8a846"

Accept-Ranges: bytes

Content-Length: 6

Connection: close

Content-Type: text/html; charset=UTF-8

Set-Cookie: lbcookie=1694542016.20480.0000; path=/

---------------------------------------------------------------

1 13 0.0443 (0.0000) S>CV3.1(32) application_data

---------------------------------------------------------------

SL6-3

---------------------------------------------------------------

1 0.0443 (0.0000) S>C TCP FIN

1 14 0.0454 (0.0010) C>SV3.1(32) Alert

level warning

value close_notify

1 0.0486 (0.0032) C>S TCP FIN

New TCP connection #2: 10.0.0.10(42573) <-> 10.0.0.100(443)

2 1 0.0011 (0.0011) C>SV3.1(281) Handshake

ClientHello

Version 3.1

random[32]=

4f 26 54 e4 7e 4a 05 b5 ea f1 20 6c 13 39 a8 bf

91 b9 6f 4b 19 a9 d1 d4 26 ee d1 45 a6 1a 5a b7

resume [32]=

b0 f9 74 fb 02 41 00 40 e8 28 b5 85 b5 5f 0b c9

ed 7d 2f 7d 6c d1 78 37 e4 08 6d bf ca 22 22 2f

cipher suites

Unknown value 0xff

Unknown value 0x88

Unknown value 0x87

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Unknown value 0x84

TLS_RSA_WITH_AES_256_CBC_SHA

Unknown value 0x45

Unknown value 0x44

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

Unknown value 0x96

Unknown value 0x41

TLS_RSA_WITH_RC4_128_MD5

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Unknown value 0xfeff

TLS_RSA_WITH_3DES_EDE_CBC_SHA

compression methods

NULL

2 28.1854 (28.1842) C>S TCP FIN

2 28.1854 (0.0000) S>C TCP FIN

New TCP connection #3: 10.0.0.10(42574) <-> 10.0.0.100(443)

3 1 0.0011 (0.0011) C>SV3.1(281) Handshake

ClientHello

Version 3.1

random[32]=

4f 26 54 ff c4 f5 10 80 9d 56 2d 64 66 e0 ff 29

56 04 bf 1b 03 f6 5a 5e d0 25 c5 fc 1d 0b 69 d4

resume [32]=

b0 f9 74 fb 02 41 00 40 e8 28 b5 85 b5 5f 0b c9

ed 7d 2f 7d 6c d1 78 37 e4 08 6d bf ca 22 22 2f

cipher suites

Unknown value 0xff

Unknown value 0x88

Unknown value 0x87

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Unknown value 0x84

TLS_RSA_WITH_AES_256_CBC_SHA

Unknown value 0x45

Unknown value 0x44

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

Unknown value 0x96

Unknown value 0x41

TLS_RSA_WITH_RC4_128_MD5

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Unknown value 0xfeff

TLS_RSA_WITH_3DES_EDE_CBC_SHA

compression methods

NULL

[root@ltm1:Active] ~ #