1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
Capture SSL/TLS master secrets from gnutls and openssl users
The following usage example has been tested to work on Debian 9:
$ sudo stap-prep
$ sudo apt-get install libgnutls30-dbgsym libssl1.0.2-dbgsym libssl1.1-dbgsym libssl-dev
$ ./capture_ssl_master_secrets.stp | tee keylog.txt &
$ sudo tcpdump -s0 -w traffic.pcap -U port 443 &
$ curl https://www.ssllabs.com/curl_secret
$ wget https://www.ssllabs.com/wget_secret
$ echo "GET /sclient_secret HTTP/1.1\nHost: www.ssllabs.com\n\n" | openssl s_client -connect www.ssllabs.com:443 -servername www.ssllabs.com
$ cat keylog.txt
# 1509378583063892 process("/usr/lib/x86_64-linux-gnu/libssl.so.1.0.2").function("tls1_generate_master_secret@./ssl/t1_enc.c:1134").return curl (24745)
CLIENT_RANDOM 924207933a2eda5d90ccd2552a620924c6cd12bf72036ced2227bfc0016152ad 9bffacb095403182e9a2f515851d3fa49838b93599de6507230bac0c0666c29d140588739635d4ad19bdfd4fced69000
# 1509378587558501 process("/usr/lib/x86_64-linux-gnu/libgnutls.so.30.13.1").function("generate_normal_master@./lib/kx.c:131").return wget (24755)
CLIENT_RANDOM 59f74aa0d72f90753e989d049953deb9fc6479a2c7091936520d280a4b1be28a 5604af95f156eaa21a93f6982c1de24289b86dac9331e0080bfc4b1a67ab13535f03c7d50530e5b3f8cd572b5d8967c8
# 1509378592611222 process("/usr/lib/x86_64-linux-gnu/libssl.so.1.1").function("tls1_generate_master_secret@../ssl/t1_enc.c:463").return openssl (24757)
CLIENT_RANDOM aa211423644611d7b52f254e44e55c3919a48d81cc0a7f0c6af604190720fc93 74150d7854157f7e6b01e40238641d065c37d7f931bac6a14aa9fac6a44b1ea7da0943f15714039acc3f71077c21127a
$ tshark -o ssl.keylog_file:keylog.txt -d tcp.port==443,ssl -x -r traffic.pcap -V | grep -A1 'Decrypted SSL data' |grep "GET "
0000 47 45 54 20 2f 63 75 72 6c 5f 73 65 63 72 65 74 GET /curl_secret
0000 47 45 54 20 2f 77 67 65 74 5f 73 65 63 72 65 74 GET /wget_secret
0000 47 45 54 20 2f 73 63 6c 69 65 6e 74 5f 73 65 63 GET /sclient_sec
|
