This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am trying to decrypt SSL traffic between a client (Firefox) and a Squid Proxy server that is using ssl-jump. The SSL certificate on the server is a private cert linked to the ssl-bump feature. I am using tshark to dump the SSL traffic.

I know all the certificates work fine because when I take Squid out of the path I can decrypt the traffic. However as soon as the SSL traffic is destined for the proxy on port 3128 I can't decrypt it.

For example I can create a client key, run up a server on 4443 using openssl and dump the traffic with these commands.

  1. openssl req -new -x509 -nodes -out client.pem -keyout client.key -subj /CN=Moi/O=Foo/C=NL

  2. openssl s_server -ssl3 -cipher AES256-SHA -accept 4443 -www -CAfile client.pem -verify 1 -key privkey.pem

  3. sudo tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 10.1.0.126,4443,http,/home/me/privkey.pem" -o "ssl.debug_file: /home/me/.wireshark-log" -i eth0 -R "tcp.port == 4443"

  4. (echo GET /?s=my+query+string HTTP/1.0; echo ; sleep 1) | openssl s_client -connect 10.1.0.126:4443 -ssl3 -cert client.pem -key client.key

However I can't dissect the traffic when I send via Squid, I have tried the 'http' and 'data' dissector to no avail ;(

tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:0.0.0.0,3128,data,/home/me/privkey.pem" -o "ssl.debug_file: /home/me/.wireshark-log" -i eth0 -R "tcp.port == 3128"

Is there a way to decrypt the traffic when it I am using Squid proxy and certificates I have configured to use via Squid's ssl-bump?

Regards,

Michael

asked 31 May '11, 23:00

cloudjunky's gravatar image

cloudjunky
1111
accept rate: 0%


When you use ssl-bump, Squid becomes a man-in-the-middle. This means there are actaully two ssl sessions. One between the client and squid, the other between squid and the server.

You should be able to decrypt the session between squid and the server, however, for the session between the client and squid, there is a new certificate being created by squid. Of course it does not have the server key, so a new key is generated and used for that session. Therefor you can't decrypt it...

...however, in very recent automated development builds, you can use the openssl s_client output (in which the Master Secret is logged) to decrypt the session. See this question for more details.

permanent link

answered 01 Jun '11, 23:13

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319
×62
×3

question asked: 31 May '11, 23:00

question was seen: 57,124 times

last updated: 01 Jun '11, 23:13

p​o​w​e​r​e​d by O​S​Q​A