tcpdump mailing list archives

Re: Decoding the unencrypted part(s) of SSL/TLS?

From: Rick Jones <rick.jones2 () hp com>
Date: Tue, 11 Dec 2012 09:17:26 -0800

On 12/11/2012 05:58 AM, Wesley Shields wrote:

On Mon, Dec 10, 2012 at 11:38:29PM -0500, Michael Richardson wrote:

"Rick" == Rick Jones <rick.jones2 () hp com> writes:

     Rick> Is there a version of tcpdump in the works which will decode
     Rick> the unecrypted
     Rick> portions of an SSL/TLS session?  Or do I need to look
     Rick> elsewhere?


Are you asking if there is a decoder for the SSL/TLS handshakes or are
you asking if there is something that will, given a private key, decrypt
the SSL?


The Client/Server Hellos are sufficient for my present purposes.

Yes/no.
You have, in general, to do TCP reassembly as TLS blocks might span TCP
segments.

Fortunately, you can use: http://www.rtfm.com/ssldump/
to do exactly that.


There are some problems with ssldump when building on newer-ish systems
(at least I think there were last time I tried to use it). If you can
get it to work it is good.

I've given it a quick try and it seems to be giving me what I need,though it may not be all that up-to-date on compression method id's. Idid an apt-get so didn't have to build from source - though I may if Ineed to go-in and enhance its knowledge of ids.


thanks all,

rick jones
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

Decoding the unencrypted part(s) of SSL/TLS? Rick Jones (Dec 10)
- Re: Decoding the unencrypted part(s) of SSL/TLS? Michael Richardson (Dec 10)
  - Re: Decoding the unencrypted part(s) of SSL/TLS? Wesley Shields (Dec 13)
    - Re: Decoding the unencrypted part(s) of SSL/TLS? Rick Jones (Dec 11)