Using tshark to debug SSL connections
We can also use tshark to debug SSL connections. On my Linux server, tshark is installed in /usr/sbin/tshark.
Support team guys need these steps for finding out what is happening. First try to reproduce the problem in a test environment with self-signed certificate and follow the steps given in this blog.
I started Oracle iPlanet Web Server 7.0 instance on IP lets say 11.111.111.111 and port 15000.
Exporting Private Key from NSS DB
In NSS Database, I have a Server Certificate named “Server-Cert” as shown below.
$ cd <WS_install-root>/https-<instance>/config
$ ../../bin/certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,uFirst use pk12util to extract server certificate and its key into a file “server.keycert”.
$ ../../bin/pk12util -o server.keycert -n “Server-Cert” -d .
Enter Password or Pin for “NSS Certificate DB”: nssdbpassword
Enter password for PKCS12 file: pkcs12password
Re-enter password: pkcs12password
pk12util: PKCS12 EXPORT SUCCESSFULthen I use openssl to get just the RSA private key
$ openssl pkcs12 -nodes -in server.keycert -out key.pem -nocerts -nodes
Enter Import Password: pkcs12password
MAC verified OK$ rm server.keycert
If you look at the file, its contents are like :
$ cat key.pemBag Attributes friendlyName: Server-Cert localKeyID: …Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY -----
…-----END RSA PRIVATE KEY -----
Edit the file key.pem manually and remove the first 4 lines.
Now the file starts with line “ — — -BEGIN RSA PRIVATE KEY — — -” and end with “ — — -END RSA PRIVATE KEY — — -”
Note that we should be very careful with this key as its not so safe to leave it unprotected.
You can protect it by another password if you like.
I would prefer if wireshark can take NSS DB or Oracle Wallets as input directly.
Running tshark
Now as root run tshark
$ /usr/sbin/tshark -o “ssl.desegment_ssl_records: TRUE” \
-o “ssl.desegment_ssl_application_data: TRUE” \
-o “ssl.keys_list:11.111.111.111,15000,http,key.pem” \
-o “ssl.debug_file:ssldebug.log” \
-f “tcp port 15000” \
-R “ssl” \
-V -x 2>&1 | tee tshark.logwhen I had not given IP address in ssl.key_list, it wasn’t associating key to some of my connections.
Note that I used capture filter "tcp port 15000" and display filter "ssl". I used -V to show more verbose output and I also used -x to get both hex and ASCII dumps.You can try your own options.
Now send a request through a browser to https://11.111.111.1111:15000/index.html, close the browser and after a while, press control c on the window where tshark is running and kill it.
Delete the private key file key.pem.
ssldebug.log should have a message that says key was loaded successfully
$ grep -i “private key” ssldebug.log
Private key imported: KeyID …
ssl_init private key file key.pem successfully loadedNote that ssldebug.log MUST NOT contain any error messages about key not being used etc.
Now look at tshark.log, look for “Secure Socket Layer” sections one such section is shown below :
Secure Socket Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 168 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 164 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Mar 2, 2012 00:01:26.000000000random_bytes: …….Session ID Length: 0 Cipher Suites Length: 72 Cipher Suites (36 suites) Cipher Suite: Unknown (0x00ff) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)…
In the end you can see SSL data being decrypted :
Decrypted SSL data (1 bytes):0000 48 HDecrypted SSL data (225 bytes):0000 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a TTP/1.1 200 OK..…0040 46 72 69 2c 20 30 32 20 4d 61 72 20 32 30 31 32 Fri, 02 Mar 20120050 20 30 39 3a 31 32 3a 32 38 20 47 4d 54 0d 0a 4c 09:12:28 GMT..L0060 61 73 74 2d 6d 6f 64 69 66 69 65 64 3a 20 57 65 ast-modified: We0070 64 2c 20 32 39 20 46 65 62 20 32 30 31 32 20 31 d, 29 Feb 2012 10080 31 3a 33 38 3a 31 39 20 47 4d 54 0d 0a 43 6f 6e 1:38:19 GMT..Con0090 74 65 6e 74 2d 6c 65 6e 67 74 68 3a 20 31 39 0d tent-length: 19.00a0 0a 45 74 61 67 3a 20 22 31 33 2d 34 66 34 65 30 .Etag: “13–4f4e000b0 65 32 62 22 0d 0a 41 63 63 65 70 74 2d 72 61 6e e2b”..Accept-ran00c0 67 65 73 3a 20 62 79 74 65 73 0d 0a 0d 0a 54 68 ges: bytes….Th00d0 69 73 20 69 73 20 69 6e 64 65 78 2e 68 74 6d 6c is is index.html
00e0 0a .
This log shows different stages of SSL
$grep “Handshake Protocol” tshark.logHandshake Protocol: Client Hello Handshake Protocol: Server Hello Handshake Protocol: Certificate Handshake Protocol: Server Hello Done Handshake Protocol: Client Key Exchange Handshake Protocol: Finished Handshake Protocol: Finished
Exporting Private Key from Wallet
If your product uses Oracle wallet instead of NSS DB, to extract the key and certificate from the Wallet you can use openssl command as shown below
$openssl pkcs12 -in ewallet.p12 -passin
pass:walletpassword -out ewallet.txt -nodesMAC verified OK
If you look at this file it has “ — — -BEGIN RSA PRIVATE
KEY — — -” and “ — — -END RSA PRIVATE KEY — — -”.
$cat ewallet.txtBag Attributes localKeyID: … Key Attributes: <No Attributes>-----BEGIN RSA PRIVATE KEY -----…-----END RSA PRIVATE KEY -----Bag Attributes localKeyID: … subject=/C=US/CN=*.oracle.com issuer=/C=US/CN=root — — -BEGIN CERTIFICATE — — -…-----END CERTIFICATE -----…
Edit this file and copy only the lines starting with “
— — -BEGIN RSA PRIVATE KEY — — -” and ending with “
— — -END RSA PRIVATE KEY — — -” into a new file key.pem. Rest of the steps remain the same.
I wanted to check if we are getting “close notify” in a connection, I saw in the presentation
useful commands to get a particular field in tshark:
$tshark -G fields | fgrep “ssl.”
and hence used $tshark -R “ssl.alert_message”References
Originally published at blogs.oracle.com on March 2, 2012.
