3

I have a standard MongoDB SSL environment where the mongo wire protocol is encrypted with SSL/TLS using RSA keys. I have packet captures of communication between the MongoDB server and a client taken via tcpdump. I have ownership of the certificates involved in the encryption.

I have a capture of the handshake, and DHE / ECDHE / PFS is not at play in this scenario.

How can I decrypt the information in the existing packet captures to inspect the contents of the mongo wire protocol portion of the packets?

Wesley
  • 32,690
  • 9
  • 82
  • 117
  • 1
    If your cipher suites were configured properly for forward secrecy, then you shouldn't be able to. – Michael Hampton Feb 04 '15 at 17:23
  • If you don't have PFS active, then something like http://www.rtfm.com/ssldump/ could help. There's no easy way to select a given packet/dump and decrypt it without some heavy coding though. Regardless of method, you also need the session keys, which means having a dump of the handshake. – Hyppy Feb 04 '15 at 17:28
  • @Hyppy Correct, I do have the handshake as well. – Wesley Feb 04 '15 at 17:29
  • What was the chosen cipher suite in the ServerHello in the packet capture? – Michael Hampton Feb 04 '15 at 18:33

1 Answers1

2

You almost certainly can't because of forward secrecy.

MongoDB, for some reason, has a hardcoded SSL cipher list of HIGH:!EXPORT:!aNULL@STRENGTH. What this results in depends on the version of OpenSSL it was built against, but on a modern system will result in ciphers that use forward secrecy being preferred over those that don't.

You can see the generated cipher list on the target system with:

openssl ciphers -v 'HIGH:!EXPORT:!aNULL@STRENGTH'

When the SSL/TLS connection uses forward secrecy, it is impossible to decrypt the session, even if you have the SSL certificate private key. This is the whole point of forward secrecy; it prevents past sessions from being decrypted even if an attacker (whether it be you or a criminal or the NSA) gains control of your private key.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • `s_client` pointed at this specific instance is showing `New, TLSv1/SSLv3, Cipher is AES256-SHA` so I don't think forward secrecy is in play. – Wesley Feb 04 '15 at 18:16
  • @Wesley In that case, find the server admin and beat him senseless until he fixes the problem. – Michael Hampton Feb 04 '15 at 18:18