seladb
TLS Decryption, packet replay
Hi, I'm trying to figure out how to replay (& capture) a secure web socket feed in my application, for low-level network debugging. I'm in full control of the client/application and have the ssl session master key. I'm not in control of the server.
Does pcapplusplus support TLS decryption given the master key and the client random value ?
Wireshark seem to be able to replay a modified/re-encrypted pcap from what I understand.
(https://www.ibm.com/support/pages/decrypt-datapower-tlsssl-traffic-using-master-secret-logging) (https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/) (https://wiki.wireshark.org/TLS)
-Also is it possible to inject the secret in the pcap file to streamline the replay process; (see "Embedding decryption secrets in a pcapng file" in https://wiki.wireshark.org/TLS#using-the-pre-master-secret )
Unfortunately PcapPlusPlus does not support TLS decryption. This will require integration with OpenSSL which currently doesn't exist
Check this out https://github.com/tls-attacker/TLS-Attacker
https://github.com/tls-attacker
FYI I got decryption to work with openssl (SSL_get_client_random, SSL_SESSION_get_master_key) and wireshark
Nice!! Just curious: are you using it inside of PcapPlusPlus (by changing the code) or as a separate tool?
@seladb I'm running the capture & decryption from wireshark, key logging in the client code. -So separate at the moment. If the pcapplusplus capture files are interchangeable, I can run the capture phase via pcapplusplus of cause.
Would be nice to have this feature(s) in pcapplusplus. -Maybe keep the ticket as a feature request, open for sponsoring ?
Sure, we can keep it open for some time. If we see more demand for this feature we will consider implementing it
@WHOLETTHEDOG-OUT would you consider adding this functionality to PcapPlusPlus?