Wireshark mailing list archives

Re: Embed SSL keylog file in pcap-ng

From: Peter Wu <peter () lekensteyn nl>
Date: Fri, 4 May 2018 10:15:34 +0200

Hi Ben,

On Thu, May 03, 2018 at 04:13:33PM -0700, Ben Higgins wrote:

We're pretty interested in embedding SSL key log information into pcap-ng
to make it really convenient to open up a single file and get SSL/TLS
sessions decrypted.

I looked around and found a ticket and some wiki content related to this
subject:

- "use capture file comment to configure SSL dissector" is at
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9616
- https://wiki.wireshark.org/Development/PcapNg#Wishlist includes "SSL
session keys" with a description and a link to the above ticket
- and there's https://wiki.wireshark.org/DecryptionBlock -- what's
described here is sounds really cool but in practice might be pretty tricky
to implement


Looks like you have done your homework, that is pretty much the current
state :-)

What I'd like to do is instead create a new pcap-ng block type that we can
put SSL keylog file contents into verbatim. Then we can leverage existing
code in Wireshark for parsing keylog files. I'd also rather keep this
scoped to keylog files and not private keys (since private keys are longer
term secrets and are more sensitive to deal with and everything's heading
toward PFS anyway).

Any thoughts on this proposal? If folks are open to this approach then we'd
be interested in writing up a patch.


The TLS key log file is indeed sufficient for decryption. If people
still use RSA key files for some legacy configuration, then Wireshark
can currently already generate a key log file for you (File -> Export
SSL Session keys).

At the moment I am not sure how the pcapng process works, but having a
specification would probably be nice for other interested parties. While
Wireshark supports multiple key log formats, I guess that those from
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
should be mentioned explicitly (except for RSA). All other formats might
work, but there will be no guarantees on the long term.

The specification should also answer:
- Where in the pcapng file should the block be located? The information
  must be available before the TLS dissector is invoked.
- If it can be anywhere, can there be multiple blocks?
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Embed SSL keylog file in pcap-ng Ben Higgins (May 03)
- Re: Embed SSL keylog file in pcap-ng Peter Wu (May 04)
  - Re: Embed SSL keylog file in pcap-ng Ben Higgins (May 04)
- Re: Embed SSL keylog file in pcap-ng Paul Zander (May 04)
  - Re: Embed SSL keylog file in pcap-ng Ben Higgins (May 04)
- Re: Embed SSL keylog file in pcap-ng Ahmad Fatoum (May 04)
  - Re: Embed SSL keylog file in pcap-ng Guy Harris (May 04)
    - Re: Embed SSL keylog file in pcap-ng Ahmad Fatoum (May 04)
    - Re: Embed SSL keylog file in pcap-ng Guy Harris (May 05)
    - Re: Embed SSL keylog file in pcap-ng Ahmad Fatoum (May 05)
    - Re: Embed SSL keylog file in pcap-ng Guy Harris (May 05)
    - Re: Embed SSL keylog file in pcap-ng Ahmad Fatoum (May 05)

(Thread continues...)