RE: libpcap working with openSSL sockets

Wed, 31 Oct 2012 15:25:23 -0700 

>From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole
>Sent: Wednesday, 31 October, 2012 13:22

>Is it possible to use libpcap to detect an incoming connection 
>(writing all packets those packets to a socket), then, if using 
>libpcap i determine that a SSL connection was established , stand up 
>another socket to read the same file descriptor with the SSL client 
>so that I could use the proper context and such to decrypt it?
        
An "incoming" connection is usually, at least by connection, 
an SSL server.

In general: if an SSL connection/session uses an akRSA suite, 
knowledge of the packets on the wire plus the server privatekey 
is enough to decrypt (and/or verify) the data. If any DH or ECDH 
suite is used, server privatekey (and any client privatekey) is not 
enough; per-session secret data from at least one endpoints is needed. 
That is exactly the definition of "perfect forward secrecy".

Note if your actual goal is to decrypt akRSA sessions (rather than write 
code) on Windows or MacOSX www.wireshark.org already can do this for you.

In OpenSSL: you can't use either OpenSSL utilities (commandline) 
or libraries to decrypt copied packets. Both of them implement 
the negotiation protocol which is active at both ends at least 
to the point of using nonces, which you shouldn't be able to repeat 
because that's the definition of nonces. What you must do for akRSA 
is parse and decrypt ClientKeyExchange to get premaster-secret, do 
the master-secret and working-key derivations (which differ in some 
details depending on the protocol version, see the RFCs or the code), 
and use them. This is exactly what wireshark does.

Alternatively, OpenSSL library at either end, and s_client utility, 
can save the per-session negotiation results in an SSL_SESSION object 
or file. If you can have either endpoint provide that data to your 
program, you just do the working-key derivations and use them.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to