Decrypting SSL/TLS traffic with Wireshark

A sample scenario with Citrix Netscaler

• PRESENTATION BY: AZIZ SASMAZ

• www.aaa.com website has a very huge traffic. Lots of simultenous visitors.

• The website uses SSL/TLS for encrypting the whole HTTP traffic

• Citrix Netscaler is used for SSL offloading. All the certificates are stored in the Netscaler appliance.

• Netscaler decrypts the HTTPS traffic and sends decrypted packets to the application servers.

• Netscaler is also used for load balancing, compression and caching features.

Overview

Overview Of Netscaler SSL Offloading

Photo credit: http://blog.itvce.com/

For maximum security:

• RSA ephemeral Keys are enabled A cryptographic key is called ephemeral if it is generated for each execution of a key establishment process.

• Diffie-Helmann ciphers are usedTLS-DHE-AES-256-CBC

• Elliptic curves ciphers are used;TLS-ECDHE-RSA-AES-128-SHA

• Netscaler only uses TLS protocol. It does not use SSL because of its security weaknesses.

For Performance:SSL session reuse feature is enabled.

Netscaler SSL Configuration

Netscaler SSL Parameters

Netscaler SSL Ciphers

Netscaler SSL ReNegotiation

• The SSL renegotiation process is the new SSL/TLS handshake process over an established SSL connection.

• The SSL renegotiation process can establish another secure SSL session over the existing SSL connection.

• The renegotiation messages, including the types of ciphers and encryption keys, are encrypted and then sent over to the existing SSL connection.

• The NetScaler appliance does not request the client to renegotiate SSL connection.

• However, if the client or the back end server initiates a renegotiation process, the appliance supports the process.

Netscaler SSL ReNegotiation

Photo Credit:http://vincent.bernat.im/

How can we decrypt the SSL traffic?

For decrypting SSL/TLS traffic, we need private key of the certificate used for www.aaa.com

Even if we have the certificate, network sniffer tools cant decrypt the traffic because as we discussed in our previous slides Netscaler uses;

• Diffie-Hellman ciphers are used

• Eliptic Curves exists;

• Session renegotitation is active.

We have to change the SSL/TLS configuration of Netscaler in order to analyse the network!

What if we can’t get the private key of the certificate from the admins or don’t have the opportunity to change the SSL configuration on the Netscaler?

Session Keys

Answer: We need the session keys stored in the client browser!

• If configured, Firefox and Chrome logs the session keys used within a TLS traffic

• Then you can point this file on your wireshark configuration

On Linux or MacOSX:# export SSLKEYLOGFILE=/Users/jazzy/sslkey.log# open -a firefox# wireshark

Session Keys on Windows

Wireshark and SSL Session Keys

Point sslkeys.log file on the wireshark protocol SSL section by;

“Edit – Preferences – Protocols – SSL – Pre Master Secret Log File Name”

See the screenshot on the next slide

Wireshark

Edit - P

How can we decrypt the SSL traffic?

Now write the IP address you want to investigate;

As you can see the traffic is decrypted and you can see the requests going to the server

See decrypted traffic

As you can see the traffic is decrypted and you can see the requests to the server

Conclusion

We can now investigate the issues, address any bottlenecks on our network

We can find evidences by looking at the decrypted data;

• Cookies,

• URLS

• Sessions

• Header values

And many other usefull information that will help our case

Thank you

Aziz SASMAZ