2
About me
I
Wireshark contributor since 2013, core developer since 2015.
I
Areas of interest: TLS, Lua, security, . . .
I
Cloudflare crypto team.
#sf19us • UC Berkeley • June 8 - 13
3
Analysis of Firefox bug 1459999
I
Problem description: uploading a file to a website failed with a 400 Bad Request.
I
Environment: Firefox 61 on Linux.
1
I
Steps to reproduce:
1. Select file in upload form.
2. Modify file contents.
3. Hit the Submit button.
I
Expected result: . . .
I
Actual result: . . .
1
Fixed in Firefox 67, https://bugzil.la/1459999
#sf19us • UC Berkeley • June 8 - 13
4
Debug attempt #1: Firefox Developer Tools – expected result
#sf19us • UC Berkeley • June 8 - 13
5
Debug attempt #1: Firefox Developer Tools – actual result
#sf19us • UC Berkeley • June 8 - 13
6
Debug attempt #2: analyze packets with Wireshark
I
Application layer protocol: HTTP/2 over TLS (HTTPS).
I
To access the decrypted HTTP request, we have to:
I
Capture packets including the initial TLS handshake.
I
Capture TLS session secrets to enable decryption.
#sf19us • UC Berkeley • June 8 - 13
8
Capture TLS session secrets into a key log file
I
Set environment variable SSLKEYLOGFILE before starting Firefox or Chrome.
Programs will append secrets to a file at this location.
I
Firefox on Windows, create start-fx.cmd file, without quotes in the set line:
set SSLKEYLOGFILE=C:\Users\User\Desktop\keys.txt
start firefox
I
Chrome on Windows, create a shortcut with:
chrome --ssl-key-log-file="C:\Users\User\Desktop\keys.txt"
I
One-liner for Linux and macOS, start Firefox or Chromium with a new profile:
SSLKEYLOGFILE="$PWD/keys.txt" firefox -no-remote -profile /tmp/ff
SSLKEYLOGFILE="$PWD/keys.txt" chromium --user-data-dir=/tmp/cr
I
curl 7.58.0 (Ubuntu 18.04, Fedora 28, Arch Linux):
export SSLKEYLOGFILE="$PWD/keys.txt"
curl https://example.com
#sf19us • UC Berkeley • June 8 - 13
9
TLS key log file
I
Text file with unique per-session secrets
3
.
I
TLS 1.2 format: CLIENT RANDOM <Client Hello Random> <master secret> .
I
TLS 1.3 requires four different secrets (handshake and traffic secrets).
I
Check that the file is created and updated, it looks like:
CLIENT_RANDOM F8566FD1E091C4CD1583313B04BB2834C817D917FC3BEDC351529BD8CC6A5FD1 9BC6A9D65B89835DB86BD857D08A8D87847F0BE08B88618BCB25A1AD726D1408B7B9BA6E742DF46EFAE911EEFF82ABDE
CLIENT_RANDOM CC5A30A4606104A670D0A82B27A112E9BCD05E1A498F7C8445027334157FDFD3 CFCE47C71B69D198BCF63FC4206D16BB9A524C0CB0CACCEA36DC6DD23D647359AF5C1FD0BA7369F942D4FB7FB242D1A6
CLIENT_RANDOM 607AAA3D657D8A08F1073AE75B62CD284C87BB5504D275631CA86533707FB080 B27567070A3832CA2C072D1D0905647EF364C1E017A33001ED0BB2E4A08654F59FD2C8758042E583A503DDC4012007D8
CLIENT_HANDSHAKE_TRAFFIC_SECRET e27a03ae85ae8035b331a1af6089dd1e2f300cce131b03fdb9f07a25f1a10876 8ac2e7e210e30e8f660048e20d45209935d6a2d9a412329534d8742b2357006b
SERVER_HANDSHAKE_TRAFFIC_SECRET e27a03ae85ae8035b331a1af6089dd1e2f300cce131b03fdb9f07a25f1a10876 21c21f13865944c2c411ed1a7271809834dbe618b35b3a9a188ebba50367988e
CLIENT_TRAFFIC_SECRET_0 e27a03ae85ae8035b331a1af6089dd1e2f300cce131b03fdb9f07a25f1a10876 0de57183beff9a8c43994f517fba1d79ca374bff53b2a2d1aac3070ff02e87d1
SERVER_TRAFFIC_SECRET_0 e27a03ae85ae8035b331a1af6089dd1e2f300cce131b03fdb9f07a25f1a10876 f26e64d69b8095bbcdcbd04d48f2f9d96aedc1abc6463a422f368ef25bf33b2f
EXPORTER_SECRET e27a03ae85ae8035b331a1af6089dd1e2f300cce131b03fdb9f07a25f1a10876 3ab0346dcf11212792839c1f89c9e05aed7b159e680b7a505718927ceb26e3f8
3
File format at https://developer.mozilla.org/NSS_Key_Log_Format
#sf19us • UC Berkeley • June 8 - 13
10
Configure Key Log File in Wireshark
tshark -otls.keylog file:/tmp/keys.txt -r some.pcapng
#sf19us • UC Berkeley • June 8 - 13
12
Embed key log file in packet capture file
I
TLS decryption requires pairing capture files with key log files. This makes
switching between different files and file distribution more difficult.
I
Solution in Wireshark 3.0: embed key log file in a pcapng file.
I
editcap --inject-secrets tls,keys.txt in.pcap out-dsb.pcapng
I
Replace secrets: editcap --discard-all-secrets --inject-secrets ...
I
inject-tls-secrets.sh: script to embed a subset of TLS secrets in a pcapng file.
4
Example: given keys.txt and some.pcap, create some-dsb.pcapng:
./inject-tls-secrets.sh keys.txt some.pcap
4
https://gist.github.com/Lekensteyn/f64ba6d6d2c6229d6ec444647979ea24
#sf19us • UC Berkeley • June 8 - 13
13
RSA decryption keys
I
What if TLS key log file is not supported, for example on Windows applications?
I
Solution: decryption through RSA private keys.
I
Advantage over key log: decrypt all traffic after configuring the private key once.
I
Limitations:
I
Requires server admin to provide the key file.
I
Does not work with ciphers like TLS ECDHE RSA WITH AES 128 GCM SHA256.
I
Does not work with session resumption.
I
Does not work with TLS 1.3.
I
Danger: Leaking the private key compromises all previous and future traffic (RSA
ciphers are not forward secret).
#sf19us • UC Berkeley • June 8 - 13
14
RSA Keys configuration
I
New in Wireshark 3.0.
I
Replaces RSA keys list
in TLS preferences.
I
Simplified interface.
I
PKCS#11 token and
HSM support.
I
Accepts passwordless
PEM-encoded or
PKCS#12 key file.
#sf19us • UC Berkeley • June 8 - 13
15
Caveat: out-of-order TCP segments break decryption
I
Enable these TCP protocol preferences:
I
Allow subdissector to reassemble TCP streams.
I
Reassemble out-of-order segments (since Wireshark 3.0, disabled by default).
5
I
Sample capture: https://lekensteyn.nl/files/firefox-google/
5
https://www.wireshark.org/docs/wsug_html_chunked/ChAdvReassemblySection.html#
ChAdvReassemblyTcp
#sf19us • UC Berkeley • June 8 - 13
17
Decoding TLS on custom ports
I
Wireshark detects TLS through heuristics, but standard port registrations take
precedence. Use Decode As functionality to set an explicit protocol.
I
Example: HTTPS on TCP server port 123.
I
Right-click TCP layer, Decode As. Change current protocol for TCP Port to TLS.
I
Press OK to apply just for now or Save to persist this port-to-protocol mapping.
I
Right-click SSL layer, Decode As. Change current protocol for TLS Port to HTTP.
I
For STARTTLS protocols, select SMTP/IMAP/. . . instead of TLS for TCP Port.
I
Tip: there are many protocols, just select the field, then use arrow keys or type
the protocol name (typing H gives HTTP).
#sf19us • UC Berkeley • June 8 - 13
18
Case study: How does ESNI work?
I
Sample packet capture firefox-esni.pcap and key log file firefox-esni.keys:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14984
I
To enable in Firefox, open about:config.
I
Enable ESNI: set network.security.esni.enabled to true.
I
Enable DoH: set network.trr.mode to 2 (try trusted recursive resolver first).
7
I
A public key is retrieved using DNS Queries over HTTPS (DoH) – RFC 8484.
I
The plain text server name extension is replaced by an Encrypted Server Name
Indication (ESNI) extension – draft-ietf-tls-esni-01.
I
DoH encrypts the server name. TLS 1.3 encrypts the server Certificate, ESNI
additionally hides the server name.
7
https://daniel.haxx.se/blog/2018/06/03/inside-firefoxs-doh-engine/
#sf19us • UC Berkeley • June 8 - 13
19
Case study: QUIC (IETF)
I
Not to be confused with Google QUIC (gquic in Wireshark).
I
The current QUIC draft (20) relies on TLS 1.3 for security.
I
Almost everything is encrypted now (including Client Hello).
I
QUIC is a transport protocol (compare it to TLS).
I
HTTP/2 is based on TCP/TLS. HTTP/3 will use UDP/QUIC.
I
Sample capture ngtcp2-19-dsb.pcapng:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13881#c209
I
Status of QUIC in Wireshark:
https://github.com/quicwg/base-drafts/wiki/Tools#wireshark
#sf19us • UC Berkeley • June 8 - 13
20
Conclusion
I
Use a key log file to enable TLS decryption in Wireshark.
I
Embed these secrets in a pcapng file for easier distribution.
I
Enable TCP reassembly preferences to enable decryption.
I
Use the latest Wireshark version for the best results.
I
For a more detailed background and key extraction from other applications, see
https://lekensteyn.nl/files/wireshark-ssl-tls-decryption-secrets-sharkfest18eu.pdf
R peter@lekensteyn.nl
lekensteyn.nl
7 @Lekensteyn
#sf19us • UC Berkeley • June 8 - 13
