I logged some traffic between my own client and server last night with Wireshark. Obviously the data is encrypted, but I was surprised to not be able to decrypt the data even when I have the private key for the server (it would work for some TLS 1.2 setup, apparently). Fortunately I found the bug hindering my progress just by looking at the code. Eventually. Does anyone know how to log TLS session keys and later use them to decrypt the logged traffic? Does some client perhaps already support this? I'm pretty sure I'll need this at some point. -Hannu -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200710/cb66 7d30/attachment.htm>
On 10.07.2020 13:18, Hannu Hartikainen wrote: > I logged some traffic between my own client and server last night with > Wireshark. Obviously the data is encrypted, but I was surprised to not > be able to decrypt the data even when I have the private key for the > server (it would work for some TLS 1.2 setup, apparently). Fortunately I > found the bug hindering my progress just by looking at the code. Eventually. > > Does anyone know how to log TLS session keys and later use them to > decrypt the logged traffic? Does some client perhaps already support?this? The (asymmetric) keys in the certificates are only used to exchange a (symmetric) session key, which would need to be logged in order to be able to decrypt the traffic. You would typically log the session keys to a file which then is read by Wireshark to decrypt the TLS traffic, see [0] for an example using Firefox. To have an idea of how to do it in your own application you might want to have a look at the answers at [1]. Cheers, J. [0] https://wiki.wireshark.org/TLS#Using_the_.28Pre.29-Master-Secret [1] https://security.stackexchange.com/questions/80158/extract-pre-master-keys- from-an-openssl-application
Thanks for the pointers! On Fri, 10 Jul 2020 at 16:23, Johannes von Rotz <jr at vrtz.ch> wrote: > To have an idea of how to do it in your own application you might want > to have a look at the answers at [1]. I thought it annoying to hack something manually for each different case. There's now support in the go-gemini library to log pre-master secrets by setting the env var SSLKEYLOGFILE, just like firefox and chrome and curl. It will land in gemget at some point (and of course other clients and servers based on go-gemini). Big thanks to @makeworld for helping me with the commit and merging the change! ? -Hannu -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200711/3537 bb45/attachment.htm>
> I thought it annoying to hack something manually for each different case. There's now support in the go-gemini library to log pre-master secrets by setting the env var SSLKEYLOGFILE, just like firefox and chrome and curl. It will land in gemget?at some point (and of course other clients and servers based on go-gemini). > > Big thanks to?@makeworld for helping me with the commit and merging the change!?? > > -Hannu You're welcome, thanks for making the PR! Support for this is now in the gemget and Amfora master branches, and will be in the next release of both of them. Cheers, makeworld
---
Previous Thread: [ANN] New Gemini Server: Space Age
Next Thread: Ansi colour markup - what encoding or mime type