Hi all, I am challenged with the analysis of an SSL VPN Gateway. Users ultimately access an HTTPS server in the inside network. This session is encapsulated in another SSL layer on the outside. As I have both SSL keys (VPN gateway and HTTPS server) traffic can be decrypted. (Thanks, Wireshark, I love this feature.) Decrypted traffic on the outside of the gateway matches the encrypted traffic from the inside. I want to compare HTTP response times from both sides of the gateway, thus deducting the latency. Is there a way to peel off the inner layer of SSL? Or could I save decrypted contents as decrypted pcap file? Any help is appreciated. asked 09 Dec '10, 00:57 packethunter |
One Answer:
It is not possible to strip a layer or save decrypted traffic as pcap. The only option would be to do decryption two times for the outside traffic. I'm not sure though if the current implementation would support that or gets itself mixed up. What is the carried protocol within the SSL session to the SSL-VPN gateway? If IP is carried, you could try the following key list when analyzing the outside traffic:
If not, could you give a schematic of the encapsulation that is done by the SSL-VPN? answered 09 Dec '10, 15:39 SYN-bit ♦♦ |
The external traffic carries HTTPS over HTTPS. The SSL gateway strips the outer layer and is a transparent proxy for the internal HTTPS session.
I tried to force a decode and entered both keys. Alas, it didn't work.
A long shot, but if the SSL-VPN gateway acts as a HTTP proxy (which can be seen by the "CONNECT <https-server>" header at the beginning of the encapsulated traffic (after doing one layer of decryption), then it might be possible to decrypt both layers with the following keys_list:
<ip-vpn-gateway>,<port>,http,<sslvpn-key>;<ip-vpn-gateway>,0,http,<https-key>
This will treat the decrypted traffic as http, see the CONNECT, switches over to SSL for a second time and by the wildcard port find the https-key.
Then again... it's a long shot :-)