The SSL key is typically used to encrypt data sent over a network to prevent someone from being able to snoop and read the data. But what if you wanted all the SSL infrastructure but didn’t want the data actually encrypted. Would there be a way to create a valid, standard SSL key which would not actually cause the data to be encrypted? A certain algorithm or keylength=0 perhaps?
In my environment, I often have to work with client-server programs which talk over secure sockets. Some of these programs are written here, some of them are external programs (database, webserver, etc). Sometimes I need to debug a problem and it would be extremely useful to be able to view the network data in clear text to see what’s going on. Sometimes I can modify or configure a program to use normal sockets, but that’s not always the case, and it’s not always simple. Not all programs have that option and source code changes would be necessary. However, one thing I can always easily do is configure the SSL keys that the programs use. If I can create an SSL key which didn’t actually encrypt the data, I can easily configure the programs to use that and I could then view the network data.
Looks like Wireshark will let you import a key and use that to decrypt your capture. So, rather than encrypting with no key, you can encrypt with a known key and then view the cleartext.
I should point out that I have little idea of the actual implementation of wireshark, ssl, or most network protocols, so it’s possible that I’ve missed the point entirely.
You could conceivably modify your stuff to use SSL only for authentication and not content encryption, but that’s harder when you don’t control all the devices/services in question because they will just use the regular implementation, not your custom one.
Not a key. You can configure the SSL server to accept a NULL cipher, and the client to request it. The NULL cipher enables the use of SSL connections without any encryption.
In most circumstances, using it is a terrible mistake.
If your servers accept the NULL cipher, all you have to do is configure clients to ask for it. If your servers don’t accept the NULL cipher, and you don’t control the servers, you’re out of luck. But at least the administrators of the servers aren’t hosting an active vulnerability.
To view the data, I typically just use a proxy server that I wrote myself to sit in the middle. I configure the client to connect to my proxy’s port and then I forward the data back and forth to the server. I have my proxy print the data it receives and I can see what is being sent.
I wish I could use 3rd-party tools like Wireshark, but I’m typically debugging on all kinds of varied operating systems and hardware platforms in labs that are scattered everywhere. I’m just using platform-independent languages like java and python that I can easily copy over and run.
But I guess I could do the same thing as Wireshark. Since I have the server’s keys, I can use them to decrypt and encrypt the data. It would be like a man-in-the-middle attack.
Just to be pedantic - it’s not the SSL private key that’s used to encrypt the traffic. The private key is used to encrypt a session key that is then used to encrypt the traffic.
You can also configure Wireshark, on a laptop you control, to use “promiscuous mode” and listen to all traffic on the network it’s connected to. Then you can filter by source/destination IP.
And I bet there are Linux distros that can help you with all this, although it wouldn’t be hard to install all the tools on any standard distro.