Using tshark to debug SSL connections
By mv on Mar 02, 2012
Jyri had explained in his blog how to use ssldump to debug SSL connections. We can also use tshark. On my Linux server, tshark is installed in /usr/sbin/tshark.
Support team guys need these steps for finding out what is happening. First try to reproduce the problem in a test environment with self-signed certificate and follow the steps given in this blog.
I started Oracle iPlanet Web Server 7.0 instance on IP lets say 188.8.131.52 and port 15000.
Exporting Private Key from NSS DB
In NSS Database, I have a Server Certificate named "Server-Cert" as shown below.
$ cd <WS_install-root>/https-<instance>/config
$ ../../bin/certutil -L -d .
First use pk12util to extract server certificate and its key into a file "server.keycert".
$ ../../bin/pk12util -o server.keycert -n "Server-Cert" -d .
Enter Password or Pin for "NSS Certificate DB": nssdbpassword
then I use openssl to get just the RSA private key
$ openssl pkcs12 -nodes -in server.keycert -out key.pem -nocerts -nodes
$ rm server.keycert
If you look at the file, its contents are like :
$ cat key.pem
Edit the file key.pem manually and remove the first 4 lines.
Now the file starts with line "-----BEGIN RSA PRIVATE KEY-----" and end with "-----END RSA PRIVATE KEY-----"
Note that we should be very careful with this key as its not so safe to leave it unprotected.
You can protect it by another password if you like.
I would prefer if wireshark can take NSS DB or Oracle Wallets as input directly.
Now as root run tshark
$ /usr/sbin/tshark -o "ssl.desegment_ssl_records: TRUE" \
-o "ssl.desegment_ssl_application_data: TRUE" \
-o "ssl.keys_list:184.108.40.206,15000,http,key.pem" \
-o "ssl.debug_file:ssldebug.log" \
-f "tcp port 15000" \
-R "ssl" \
-V -x 2>&1 | tee tshark.log
when I had not given IP address in ssl.key_list, it wasn't associating key to some of my connections.
Note that I used capture filter "tcp port 15000" and display filter "ssl". I used -V to show more verbose output and I also used -x to get both hex and ASCII dumps. You can try your own options.
Now send a request through a browser to https://220.127.116.111:15000/index.html, close the browser and after a while, press control c on the window where tshark is running and kill it.
Delete the private key file key.pem.
ssldebug.log should have a message that says key was loaded successfully
$ grep -i "private key" ssldebug.log
Private key imported: KeyID ...
Note that ssldebug.log MUST NOT contain any error messages about key not being used etc.
Now look at tshark.log, look for "Secure Socket Layer" sections one such section is shown below :
Secure Socket Layer
Session ID Length: 0
In the end you can see SSL data being decrypted :
Decrypted SSL data (1 bytes):
Decrypted SSL data (225 bytes):
This log shows different stages of SSL
$grep "Handshake Protocol" tshark.log
Handshake Protocol: Client Hello
Exporting Private Key from Wallet
If your product uses Oracle wallet instead of NSS DB, to extract the key and certificate from the Wallet you can use openssl command as shown below
$openssl pkcs12 -in ewallet.p12 -passin pass:walletpassword -out ewallet.txt -nodes
MAC verified OK
If you look at this file it has "-----BEGIN RSA PRIVATE
KEY-----" and "-----END RSA PRIVATE KEY-----".
Edit this file and copy only the lines starting with " -----BEGIN RSA PRIVATE KEY-----" and ending with " -----END RSA PRIVATE KEY-----" into a new file key.pem. Rest of the steps remain the same.
I wanted to check if we are getting "close notify" in a connection, I saw in the presentation
useful commands to get a particular field in tshark:
$tshark -G fields | fgrep "ssl." and hence used
$tshark -R "ssl.alert_message"