tcpdump mailing list archives
Re: Decoding the unencrypted part(s) of SSL/TLS?
From: Rick Jones <rick.jones2 () hp com>
Date: Tue, 11 Dec 2012 09:17:26 -0800
On 12/11/2012 05:58 AM, Wesley Shields wrote:
On Mon, Dec 10, 2012 at 11:38:29PM -0500, Michael Richardson wrote:"Rick" == Rick Jones <rick.jones2 () hp com> writes:Rick> Is there a version of tcpdump in the works which will decode Rick> the unecrypted Rick> portions of an SSL/TLS session? Or do I need to look Rick> elsewhere?Are you asking if there is a decoder for the SSL/TLS handshakes or are you asking if there is something that will, given a private key, decrypt the SSL?
The Client/Server Hellos are sufficient for my present purposes.
Yes/no. You have, in general, to do TCP reassembly as TLS blocks might span TCP segments. Fortunately, you can use: http://www.rtfm.com/ssldump/ to do exactly that.There are some problems with ssldump when building on newer-ish systems (at least I think there were last time I tried to use it). If you can get it to work it is good.
I've given it a quick try and it seems to be giving me what I need, though it may not be all that up-to-date on compression method id's. I did an apt-get so didn't have to build from source - though I may if I need to go-in and enhance its knowledge of ids.
thanks all, rick jones _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Decoding the unencrypted part(s) of SSL/TLS? Rick Jones (Dec 10)
- Re: Decoding the unencrypted part(s) of SSL/TLS? Michael Richardson (Dec 10)
- Re: Decoding the unencrypted part(s) of SSL/TLS? Wesley Shields (Dec 13)
- Re: Decoding the unencrypted part(s) of SSL/TLS? Rick Jones (Dec 11)
- Re: Decoding the unencrypted part(s) of SSL/TLS? Wesley Shields (Dec 13)
- Re: Decoding the unencrypted part(s) of SSL/TLS? Michael Richardson (Dec 10)