💾 Archived View for gemi.dev › gemini-mailing-list › 000288.gmi captured on 2024-05-26 at 15:39:13. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-12-28)

-=-=-=-=-=-=-

Debugging TLS connections with Wireshark?

1. Hannu Hartikainen (hannu.hartikainen+gemini (a) gmail.com)

I logged some traffic between my own client and server last night with
Wireshark. Obviously the data is encrypted, but I was surprised to not be
able to decrypt the data even when I have the private key for the server
(it would work for some TLS 1.2 setup, apparently). Fortunately I found the
bug hindering my progress just by looking at the code. Eventually.

Does anyone know how to log TLS session keys and later use them to decrypt
the logged traffic? Does some client perhaps already support this?

I'm pretty sure I'll need this at some point.

-Hannu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200710/cb66
7d30/attachment.htm>

Link to individual message.

2. Johannes von Rotz (jr (a) vrtz.ch)

On 10.07.2020 13:18, Hannu Hartikainen wrote:
> I logged some traffic between my own client and server last night with
> Wireshark. Obviously the data is encrypted, but I was surprised to not
> be able to decrypt the data even when I have the private key for the
> server (it would work for some TLS 1.2 setup, apparently). Fortunately I
> found the bug hindering my progress just by looking at the code. Eventually.
> 
> Does anyone know how to log TLS session keys and later use them to
> decrypt the logged traffic? Does some client perhaps already support?this?

The (asymmetric) keys in the certificates are only used to exchange a
(symmetric) session key, which would need to be logged in order to be
able to decrypt the traffic.

You would typically log the session keys to a file which then is read by
Wireshark to decrypt the TLS traffic, see [0] for an example using Firefox.

To have an idea of how to do it in your own application you might want
to have a look at the answers at [1].

Cheers, J.

[0] https://wiki.wireshark.org/TLS#Using_the_.28Pre.29-Master-Secret
[1]
https://security.stackexchange.com/questions/80158/extract-pre-master-keys-
from-an-openssl-application

Link to individual message.

3. Hannu Hartikainen (hannu.hartikainen+gemini (a) gmail.com)

Thanks for the pointers!

On Fri, 10 Jul 2020 at 16:23, Johannes von Rotz <jr at vrtz.ch> wrote:
> To have an idea of how to do it in your own application you might want
> to have a look at the answers at [1].

I thought it annoying to hack something manually for each different case.
There's now support in the go-gemini library to log pre-master secrets by
setting the env var SSLKEYLOGFILE, just like firefox and chrome and curl.
It will land in gemget at some point (and of course other clients and
servers based on go-gemini).

Big thanks to @makeworld for helping me with the commit and merging the
change! ?

-Hannu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200711/3537
bb45/attachment.htm>

Link to individual message.

4. colecmac (a) protonmail.com (colecmac (a) protonmail.com)

> I thought it annoying to hack something manually for each different 
case. There's now support in the go-gemini library to log pre-master 
secrets by setting the env var SSLKEYLOGFILE, just like firefox and chrome 
and curl. It will land in gemget?at some point (and of course other 
clients and servers based on go-gemini).
>
> Big thanks to?@makeworld for helping me with the commit and merging the change!??
>
> -Hannu

You're welcome, thanks for making the PR! Support for this is now
in the gemget and Amfora master branches, and will be in the next
release of both of them.

Cheers,
makeworld

Link to individual message.

---

Previous Thread: [ANN] New Gemini Server: Space Age

Next Thread: Ansi colour markup - what encoding or mime type