0

I have a client application that runs on my computer, which uses openssl to communicate with server using SSLv3. I need to see what they talk so I basically want to edit and recompile openssl library in order to acquire relevant encryption keys.

The application usually uses TLS-DHE-RSA-WITH-AES-256-CBC-SHA as cipher suite. Sometimes it uses aes128 instead of aes256 but that's not critical at this stage. I edited s3_enc.c file so far. At the end of ssl3_setup_key_block function I write the master key, key block(so the client-server write keys, mac keys and IV's), server and client randoms to a file. http://www.ietf.org/rfc/rfc2246.txt says if the stream cipher is exportable, client-server write keys are to be updated as final client-server write keys accordingly. I'm not sure if this cipher suite is considered exportable(whatever that means), but I create final write keys anyway.

The problem is whatever I tried, I couldn't successfully decrypt any packet which I acquired using wireshark. The output is meaningless no matter what and I'm stuck. I am considering checking the mac fields of packets after decryption in order to see whether decryption was correct. But that also seems to be a dead end.

Does anyone have any idea what I am missing, what I might be doing wrong?

Yigit
  • 183
  • 2
  • 9

1 Answers1

1

If you can modify OpenSSL and make your client application use it, then all you need to do is make your modified OpenSSL dump the decrypted data to the file. Even easier alternative would be to make OpenSSL use one of NULL ciphersuites even when the application requests certain encryption.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • Thanks for your answer. I had also tried to print decrypted packets to file but since the openssl source is a bunch of trash with no code comments and reliable documentation, I couldn't find where I can find those decrypted packets successfully. I don't think the server will accept a null encrypted connection but worth giving a try. Thank you. – Yigit Dec 16 '10 at 11:52
  • @Yigit: Patch `SSL_read()` and `SSL_write()` in `ssl_lib.c` - those are the functions that the app will call to read and write the plaintext side of the connection. – caf Dec 17 '10 at 02:03
  • @caf to answer to the commenter, put at sign, then commenter's name and NO semicolon after. This is the way stackoverflow engine works. – Eugene Mayevski 'Callback Dec 17 '10 at 06:33