Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS decoding support #193

Open
chmorgan opened this issue Oct 26, 2022 · 6 comments
Open

TLS decoding support #193

chmorgan opened this issue Oct 26, 2022 · 6 comments

Comments

@chmorgan
Copy link
Collaborator

Thoughts on how we might implement tls decoding like wireshark can perform? Can we reuse anything wireshark has done? Should we aim for a purely managed approach? Build on packetnet-connections?

@chmorgan
Copy link
Collaborator Author

chmorgan commented Feb 4, 2023

@PhyxionNL @kayoub5 thoughts on how we might get TLS support?

@kayoub5
Copy link
Contributor

kayoub5 commented Feb 5, 2023

without user provided certificates (either client or server) the only thing you can support is authentication only tls (payload not encrypted)

@chmorgan
Copy link
Collaborator Author

chmorgan commented Feb 5, 2023

@kayoub5 I think we'd assume the user would provide certificates yep.

@raffaeler
Copy link

I investigated this topic and want to provide some feedback.

In modern TLS, the private key of the certificate alone does not allow the full decryption. If the traffic uses the RSA keys the certificate is enough, however if Diffie Helman ephemeral keys are used, it is necessary to have the negotiated key that changes for every session. Anyway, decryption is possible because the libraries used from the two major browsers (Firefox and Chrome) may be enabled to write the secrets (for debugging purposes) using the SSLKEYLOGFILE environment variable. Unfortunately this method is not currently supported by HttpClient and other libraries/framework but some workaround can be found at the provided link.
A good video on how decryption works inside Wireshark can be found here.

I believe it would be very valuable having the ability to decrypt TLS traffic.
If we skip for a moment the problem of retrieving the encryption key, the very first thing to do would be a TLS/SSL packet class (dissector) matching all the TLS and SSL versions. With those, we should able to see the dump that Wireshark shows when the descryption is not enabled.

When writing the new dissectors, it is important considering the differences when it comes to HTTP/2, QUIC and the upcoming HTTP/3 (which is already available in .NET but off by default) as it uses UDP.
After the required dissectors are there, the decryption could be done by manually feeding the key or by reading the file obtained with SSLKEYLOGFILE which hopefully will be come standard for .NET and other libraries.

Some more detail on how TLS works:

@twa890
Copy link

twa890 commented Feb 18, 2024

I would love to see this support added. Provide a way to access the SSKEYLOGGER file, similar to how wireshark does it (point to a file). Then decrypt it. BACnet SC traffic is what I would like to decrypt and parse. I am open to compensating someone to implement this.

@raffaeler
Copy link

It looks like the dotnet team is working on that and the decryption support is coming in .NET 9
dotnet/runtime#37915
You can follow the work in progress here: https://github.com/orgs/dotnet/projects/347

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants