Short memo for SSL/TLS debugging and session decrypting

When trying to automate recurring or annoying operations on a network client, you must be lucky to have a special SDK, well-known documentation on API and plain-text protocols. Otherwise, it often happens that you have to start capturing tcpdump outputs to study application layer dataflows. But things may turn even worse if you must look inside the encrypted connection.

Here are some useful hints, which I have collected during the recent session on a Java based application.

First of all, run the application with network debugging:

# java MySSLJavaApplication

Yes, it allows to see just everything you need in hex and plain-text.

Read this to get help on the available network debugging options. Detailed example of the SSl/TLS connection debugging session is here.

Sometimes it is useful to disassemble one or more java class to see it’s code:

# javap -c -constants MySSLJavaApplication

See this perfect example with detailed descriptions.

Browsers are able to store all the keys, so we can literally intercept TLS encrypted session. Do you feel more secure now? 😉 Set SSLKEYLOGFILE environment variable, then run Firefox or Chrome:

# SSLKEYLOGFILE=~/sslkeys.log firefox

Here is SSLKEYLOGFILE format description along with instructions for Wireshark on how to use it to decrypt TLS connections.

Use ssldump if you are lucky to have a Private key in advance:

# ssldump -k /path/to/private.key -i 'interface' -dnq 'expression'

About mezzantrop

10 years of experience in large SAN and storage environments: mainly Hitachi, HP and Brocade. Now I am a proud SAN/storage IBMer. Empty – expect-like tool author. FreeBSD enthusiast.
This entry was posted in Tips & tricks and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s