sngrep icon indicating copy to clipboard operation
sngrep copied to clipboard
verified publisher icon irontec

sngrep F2 save TLS issue

Open michael2009 opened this issue 8 years ago • 8 comments

sngrep -k tls.key and F2 save tls dialog to test.pcap next sngrep -k tls.key -I test.pcap , then no callflow . maybe bug.

Did sngrep F2 save , then saved TCP data packet only . nerver save tls handshake Then must issue.

michael2009 avatar Nov 03 '17 14:11 michael2009

I have one idea , add fuction for support tls ip:port define . Then sngrep will recod ssl connect use tls handshake or ip:port static recod

michael2009 avatar Nov 03 '17 14:11 michael2009

The ip:port setting sounds good, but I would like to also make it work without the setting

Kaian avatar Nov 03 '17 16:11 Kaian

If add one function for ip+port , then no need cap tls handshake aways , force decrypt tls . then solve issue for tls online callflow or offline import pcap.

and another idea , you can add one function random try decrypt tcp stream , if found sip header from TCP decrypted packets then add one global ssl recod. will solve issue . but best static ip+port for static ssl record for any case

michael2009 avatar Nov 04 '17 02:11 michael2009

Did sngrep F2 save , then saved TCP data packet only . nerver save tls handshake Then must issue.

Yet, it should save everything, i'll check it out.

and another idea , you can add one function random try decrypt tcp stream , if found sip header from TCP decrypted packets then add one global ssl recod. will solve issue . but best static ip+port for static ssl record for any case

This doesn't make too much sense to me. One global ssl record only will allow one connection to be decrypted. Each packet can only be decrypted if you have the previous one of the TCP stream. You can not randomly decrypt packets.

Anyway, TLS decrypting is highly discouraged and if someday sngrep 2.0.0 comes to live, most probably TLS support will be dropped.

Until then, thanks for all the feedback and support!

Regards

Kaian avatar Nov 04 '17 09:11 Kaian

Hi,

Previous commit should allow a new setting for sngreprc to configure server IP:PORT

set capture.tlsserver 192.168.0.1:5061

This most probably won't fix the problem described here but it's just an enhancement.

Regards!

Kaian avatar Nov 06 '17 15:11 Kaian

set capture.tlsserver 192.168.1.1:5061 sngrep -I tls.pcap -k ca.key

Don'nt show callflow

tls.zip

michael2009 avatar Nov 07 '17 14:11 michael2009

Thanks for the pcap!

TLS handshake is not being saved into the file. I'll see if I can fix this as soon as I have some spare time.

Regards!

Kaian avatar Nov 08 '17 18:11 Kaian

Then can export include tls handshake packet? Then best add one option to force deceypt use default cipher exam:
set capture.tlsserver 192.168.1.1:5061 set capture.tlsserver_cipher_default=AES256-SHA

michael2009 avatar Nov 09 '17 03:11 michael2009