Re: Decrypting SSL packets with openSSL

Fri, 07 Nov 2003 01:51:06 -0800 

On Fri, Nov 07, 2003 at 03:39:09PM +1300, Jason Haar wrote:
> On Fri, 2003-11-07 at 14:26, Rich Salz wrote:
> > > I don't think it really works - I certainly never got it to work.
> > 
> > Most likely becuase you don't have the keys.
> > 
> 
> Bzzt - sorry - I'm not that stupid today ;-)
> 
> If I do "ssldump -Ad -i eth0 -k server-cert.pem host me and port 443",
> where server-cert.pem contains "BEGIN RSA PRIVATE" at the top followed
> by "BEGIN CERTIFICATE" later on (i.e. a merged key + cert - that Apache
> is actually using itself), and then connect via "openssl s_client -conn
> me:443" and do "GET /", I don't see "GET" showing up in the ssldump
> output - only a bunch of SSL parsing and what looks like raw encrypted
> data in hex.

Actually, I never tried it online but decrypted saved sessions, nevertheless:
it did work fine for me.
Important: this method can only work, if static RSA is being used. That is:
the premaster secret was encrypted with the server's RSA public key. This
is the case e.g. for RC4-MD5 as used with Netscape. Just as you can decrypt
(recorded) sessions this way, using static RSA is not the best idea.
It is far more secure to use EDH (Ephemeral Diffie-Hellman) cipher suites,
which use the RSA keys for signing dynamically generated private/public
key pairs. In this case the private DH key(s) would be required for
decrypting the session, but there is no way to obtain it from the data
stream (of course) and there is no API to record it with OpenSSL.

When you are using s_client, you will most likely negotiate an EDH cipher
that cannot be decrypted with ssldump. Use
  openssl -s_client -ciphers RC4-MD5 ...
to generate "decryptable" sessions...

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to