I have an VPN server running OpenVPN. I want to log all of my VPN traffic. I can capture the packets on server on tun0 interface.
I wonder if it possible to see SSL traffic in plain text?
Asked
Active
Viewed 5,624 times
-1
-
That would defeat the whole purpose of SSL. Its developers work really hard to avoid it at all costs. – Phillip -Zyan K Lee- Stockmann Feb 17 '17 at 19:22
-
Can't you decrypt the traffic if you have the key ? – Tolsadus Feb 17 '17 at 19:51
-
I have the public and private keys. – abi Feb 17 '17 at 20:13
-
this is probably what you're looking to do https://support.citrix.com/article/CTX116557 – Tolsadus Feb 17 '17 at 20:17
2 Answers
1
If you capture all the packets on the tun0 interface of the OpenVPN server, you'll only see encrypted packets as far as encrypted (SSL/TLS for example) traffic is concerned.
Let's use the communication between a client and an https webserver as an example: while the client's traffic goes through the VPN, it's encrypted up end to end, from his browser, to the webserver:
client->openvpn encrypted link->vpn server->https webserver
client-><------- ssl/tls encrypted link ---------->https webserver
As the connection with SSL/TLS is encrypted from the webserver to the client, somebody watching the traffic on the VPN server will only be able to see encrypted traffic. (For more information on how TLS/SSL works, you can check wikipedia article on TLS)
The only way to see the traffic would be to perform a "Man in the middle attack" (MITM), pretending to be the SSL protected server the client is trying to reach, giving to this client a fake SSL cert, to be able to snoop his traffic in plain text; acting as a proxy between the client and the server.
That's to prevent this attack that Certificate Authorities (CA) do exist. If the client is provided a cert that appears valid to his browser (from a malicious CA) he can believe that the link is encrypted up to the webserver while his traffic goes through a MITM. An invalid cert would trigger an alert.
Jack Willis
- 46
- 3
-
I can see the non-https packets in plain text when I'm capturing from tun0. – abi Feb 17 '17 at 20:12
-
Indeed, you can see what's not encrypted. Your question was about being able to see "SSL traffic in plain text" which isn't possible unless you do some kind of man-in-the-middle. – Jack Willis Feb 17 '17 at 20:28
0
VPNs are not able to decrypt SSL traffic between the user and sites accessed through the VPN. But since the VPN has access to the SSL encrypted content it can execute a man-in-the-middle attack. Most man-in-the-middle attacks can be detected by carefully checking the sites' certificates.
Every once in a while there's a new attack that even the most vigilant user won't be able to detect. For example, certificate authority Trustwave (at least) once issued a certificate to a company which allowed that company to perform undetectable man-in-the-middle attacks on any SSL communication going through that company
There are some enterprise products that you can use to decrypt SSL traffic, for example Ixia's SecureStack https://www.ixiacom.com/products/securestack
Mika Wolf
- 169
- 3