Wireshark mailing list archives
Re: Embed SSL keylog file in pcap-ng
From: Peter Wu <peter () lekensteyn nl>
Date: Fri, 4 May 2018 10:15:34 +0200
Hi Ben, On Thu, May 03, 2018 at 04:13:33PM -0700, Ben Higgins wrote:
We're pretty interested in embedding SSL key log information into pcap-ng to make it really convenient to open up a single file and get SSL/TLS sessions decrypted. I looked around and found a ticket and some wiki content related to this subject: - "use capture file comment to configure SSL dissector" is at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9616 - https://wiki.wireshark.org/Development/PcapNg#Wishlist includes "SSL session keys" with a description and a link to the above ticket - and there's https://wiki.wireshark.org/DecryptionBlock -- what's described here is sounds really cool but in practice might be pretty tricky to implement
Looks like you have done your homework, that is pretty much the current state :-)
What I'd like to do is instead create a new pcap-ng block type that we can put SSL keylog file contents into verbatim. Then we can leverage existing code in Wireshark for parsing keylog files. I'd also rather keep this scoped to keylog files and not private keys (since private keys are longer term secrets and are more sensitive to deal with and everything's heading toward PFS anyway). Any thoughts on this proposal? If folks are open to this approach then we'd be interested in writing up a patch.
The TLS key log file is indeed sufficient for decryption. If people still use RSA key files for some legacy configuration, then Wireshark can currently already generate a key log file for you (File -> Export SSL Session keys). At the moment I am not sure how the pcapng process works, but having a specification would probably be nice for other interested parties. While Wireshark supports multiple key log formats, I guess that those from https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format should be mentioned explicitly (except for RSA). All other formats might work, but there will be no guarantees on the long term. The specification should also answer: - Where in the pcapng file should the block be located? The information must be available before the TLS dissector is invoked. - If it can be anywhere, can there be multiple blocks? -- Kind regards, Peter Wu https://lekensteyn.nl ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Embed SSL keylog file in pcap-ng Ben Higgins (May 03)
- Re: Embed SSL keylog file in pcap-ng Peter Wu (May 04)
- Re: Embed SSL keylog file in pcap-ng Ben Higgins (May 04)
- Re: Embed SSL keylog file in pcap-ng Paul Zander (May 04)
- Re: Embed SSL keylog file in pcap-ng Ben Higgins (May 04)
- Re: Embed SSL keylog file in pcap-ng Ahmad Fatoum (May 04)
- Re: Embed SSL keylog file in pcap-ng Guy Harris (May 04)
- Re: Embed SSL keylog file in pcap-ng Ahmad Fatoum (May 04)
- Re: Embed SSL keylog file in pcap-ng Guy Harris (May 05)
- Re: Embed SSL keylog file in pcap-ng Ahmad Fatoum (May 05)
- Re: Embed SSL keylog file in pcap-ng Guy Harris (May 05)
- Re: Embed SSL keylog file in pcap-ng Ahmad Fatoum (May 05)
- Re: Embed SSL keylog file in pcap-ng Guy Harris (May 04)
- Re: Embed SSL keylog file in pcap-ng Peter Wu (May 04)