All geek questions in one place

Is there a way to configure OpenSSL or boost :: asio :: ssl not for encryption?

For debugging reasons, I sometimes want to capture traffic and analyze it. One option is to configure OpenSSL or boost :: asio :: ssl to keep the transport intact. I could not find anything in the API.

+4
source share
2 answers

If you can configure both ends of your connection, you can use a null cipher. When you create your boost::asio::ssl::stream , configure it only with ciphers that are not encrypted. This can be done using the OpenSSL API by passing the encapsulated OpenSSL pointer:

 boost::asio::ssl::stream<boost::asio::ip::tcp::socket> sslSocket(io, ssl); SSL_set_cipher_list(sslSocket.native_handle(), "eNULL"); SSL_set_options(sslSocket.native_handle(), SSL_OP_NO_COMPRESSION);

SSL_set_cipher_list() sets valid ciphers, and "eNULL" matches ciphers without encryption (see OpenSSL ciphers ). Calling SSL_set_options() disables compression, which has nothing to do with encryption, but it’s easier to view traffic on the wire without compression. SSL_OP_NO_COMPRESSION can only be accessed with OpenSSL 0.9.9 or later. If you are using an earlier version of OpenSSL, this page has a workaround to disable compression. It is enough to disable compression on one side of the connection.

eNULL ciphers are never enabled by default, so you will need to explicitly configure both ends. If you configure only one end, this will result in communication failure. You can configure a simple test server using the OpenSSL s_server as follows:

 openssl s_server -accept 8443 -cert server.pem -key server.pem -cipher eNULL

Adding the -debug flag -debug also remove the protocol, and you will be able to see plaintext if your client has disabled compression.

Here is a proof of concept client who will speak with the s_server command s_server ( verify_none mode used for simplicity, update mode to prevent MITM attacks):

 #include <boost/asio.hpp> #include <boost/asio/ssl.hpp> int main() { boost::asio::io_service io; boost::asio::ssl::context ssl(io,boost::asio::ssl::context::sslv23); ssl.set_verify_mode(boost::asio::ssl::context::verify_none); boost::asio::ssl::stream<boost::asio::ip::tcp::socket> sslSocket(io, ssl); SSL_set_cipher_list(sslSocket.native_handle(), "eNULL"); SSL_set_options(sslSocket.native_handle(), SSL_OP_NO_COMPRESSION); boost::asio::ip::tcp::resolver resolver(io); boost::asio::ip::tcp::resolver::query query("localhost", "8443"); boost::asio::ip::tcp::resolver::iterator endpoint = resolver.resolve(query); boost::system::error_code error = boost::asio::error::host_not_found; while (error && endpoint != boost::asio::ip::tcp::resolver::iterator()) { sslSocket.lowest_layer().close(); sslSocket.lowest_layer().connect(*endpoint++, error); } sslSocket.handshake(boost::asio::ssl::stream_base::client); boost::asio::write(sslSocket, boost::asio::buffer("how now brown cow\n")); sslSocket.shutdown(error); return 0; }
+4
source

I don't know how to tell asio to disable encryption when using boost :: asio :: ssl :: stream as a socket object. However, I used Wireshark before looking at the SSL data entering and leaving the wire. Wireshark provides the ability to add the RSA key file, which it uses to decrypt the data, and thus ends the display of the source data in the window.

To specify a key file, call Wireshark and select Edit / Preferences to open the settings dialog box. There should be protocols at the bottom of the left side of the window. Click on it to show all protocols. Then select SSL. In the right part of the window you should see the RSA keys Edit .... button. Click on this button to open the window to specify the key file. You will need to have a key file, an I / O address, and a port number for each server or client you are talking to.

Wireshark can be downloaded from this.

+2
source

Source: https://habr.com/ru/post/1479605/

More articles:


All Articles