decrypting ssl / tls traffic with wireshark
TRANSCRIPT
Decrypting SSL/TLS traffic with Wireshark
A sample scenario with Citrix Netscaler
• PRESENTATION BY: AZIZ SASMAZ
• www.aaa.com website has a very huge traffic. Lots of simultenous visitors.
• The website uses SSL/TLS for encrypting the whole HTTP traffic
• Citrix Netscaler is used for SSL offloading. All the certificates are stored in the Netscaler appliance.
• Netscaler decrypts the HTTPS traffic and sends decrypted packets to the application servers.
• Netscaler is also used for load balancing, compression and caching features.
Overview
Overview Of Netscaler SSL Offloading
Photo credit: http://blog.itvce.com/
For maximum security:
• RSA ephemeral Keys are enabled A cryptographic key is called ephemeral if it is generated for each execution of a key establishment process.
• Diffie-Helmann ciphers are usedTLS-DHE-AES-256-CBC
• Elliptic curves ciphers are used;TLS-ECDHE-RSA-AES-128-SHA
• Netscaler only uses TLS protocol. It does not use SSL because of its security weaknesses.
For Performance:SSL session reuse feature is enabled.
Netscaler SSL Configuration
Netscaler SSL Parameters
Netscaler SSL Ciphers
Netscaler SSL ReNegotiation
• The SSL renegotiation process is the new SSL/TLS handshake process over an established SSL connection.
• The SSL renegotiation process can establish another secure SSL session over the existing SSL connection.
• The renegotiation messages, including the types of ciphers and encryption keys, are encrypted and then sent over to the existing SSL connection.
• The NetScaler appliance does not request the client to renegotiate SSL connection.
• However, if the client or the back end server initiates a renegotiation process, the appliance supports the process.
Netscaler SSL ReNegotiation
Photo Credit:http://vincent.bernat.im/
How can we decrypt the SSL traffic?
For decrypting SSL/TLS traffic, we need private key of the certificate used for www.aaa.com
Even if we have the certificate, network sniffer tools cant decrypt the traffic because as we discussed in our previous slides Netscaler uses;
• Diffie-Hellman ciphers are used
• Eliptic Curves exists;
• Session renegotitation is active.
We have to change the SSL/TLS configuration of Netscaler in order to analyse the network!
What if we can’t get the private key of the certificate from the admins or don’t have the opportunity to change the SSL configuration on the Netscaler?
Session Keys
Answer: We need the session keys stored in the client browser!
• If configured, Firefox and Chrome logs the session keys used within a TLS traffic
• Then you can point this file on your wireshark configuration
On Linux or MacOSX:# export SSLKEYLOGFILE=/Users/jazzy/sslkey.log# open -a firefox# wireshark
Session Keys on Windows
Wireshark and SSL Session Keys
Point sslkeys.log file on the wireshark protocol SSL section by;
“Edit – Preferences – Protocols – SSL – Pre Master Secret Log File Name”
See the screenshot on the next slide
Wireshark
Edit - P
How can we decrypt the SSL traffic?
Now write the IP address you want to investigate;
As you can see the traffic is decrypted and you can see the requests going to the server
See decrypted traffic
As you can see the traffic is decrypted and you can see the requests to the server
Conclusion
We can now investigate the issues, address any bottlenecks on our network
We can find evidences by looking at the decrypted data;
• Cookies,
• URLS
• Sessions
• Header values
And many other usefull information that will help our case
Thank you
Aziz SASMAZ