With TLS before 1.3, encryption of the data on the session occurred after the handshake had completed, so the handshake was visible in Wireshark. With TLS 1.3 the traffic is encrypted after the "Client Hello", so you cannot immediately see the remainder of the handshake.
Tools like OpenSSL, can write out the magic data needed for decryption. For example
openssl s_client -keylogfile /tmp/kl -connect 10.1.1.2:1389 -cert /home/colinpaice/ssl/ssl2/ecec.pem -key /home/colinpaice/ssl/ssl2/ecec.key.pem -CAfile /home/colinpaice/ssl/ssl2/colinpaice.pem
This writes information to the specified file, in my case /tmp/kl.
The file has data like
SSL/TLS secrets log file, generated by OpenSSL
SERVER_HANDSHAKE_TRAFFIC_SECRET 05a42762…
EXPORTER_SECRET 05a42762dc…
SERVER_TRAFFIC_SECRET_0 05a4276…
CLIENT_HANDSHAKE_TRAFFIC_SECRET 05a42762dc…
CLIENT_TRAFFIC_SECRET_0 05a42762d…
On Linux (Ubuntu) you can tell Wireshark to use this through
edit -> preferences -> protocols -> SSL -> (pre)-master-secret log filename
Different versions of Wireshark have TLS or SSL, use whichever one is available to you.
Specify the name of your file (/tmp/kl in my case) and Wireshark will be able to decrypt the data.
WordPress.com
No comments:
Post a Comment