Ssl – Extracting SSL certificates from the network or pcap files

pcapsslssl-certificatetcpdump

I will appreciate if someone can point me to a tool or approach to extract SSL/TLS certificates from live HTTPS connections (directly from the network) or from a network trace file (pcap file). I tried using ssldump but I was not able to extract the certificates. I can also use Wireshark for this (manually), but I want to do this in an automated way. I am using a Linux platform for this. Thanks

Edit: I want to extract the SSL certificate than a server sends to the client (browser) during an SSL handshake. I want to use a network sniffer (tcpdump) to capture the SSL connections in a network and then extract the certificates from the resulting pcap file (or doing it live).

Best Answer

Do you need the certificates in a particular format (PEM/DER/...)?

ssldump can show parsed ASN.1 certificates with the -N option and read a pcap file as input with -r. The following command could show you the certificates in a human-readable form.

ssldump -Nr file.pcap | awk 'BEGIN {c=0;} { if ($0 ~ /^[ ]+Certificate$/) {c=1; print "========================================";} if ($0 !~ /^ +/ ) {c=0;} if (c==1) print $0; }'

The awk script isn't the cleanest but does the job (improvements more than welcome).

The -x option of ssldump would show you the actual packet payload (packet_data). That will include the record layer and handshake protocol fields (i.e. not the certificate only). A more intelligent script/code might be able to extract it from there and convert it to a more common format.

Related Solutions

How to read pcap files in a friendly format

Wireshark is probably the best, but if you want/need to look at the payload without loading up a GUI you can use the -X or -A options

tcpdump -qns 0 -X -r serverfault_request.pcap

14:28:33.800865 IP 10.2.4.243.41997 > 69.59.196.212.80: tcp 1097
        0x0000:  4500 047d b9c4 4000 4006 63b2 0a02 04f3  E..}..@.@.c.....
        0x0010:  453b c4d4 a40d 0050 f0d4 4747 f847 3ad5  E;.....P..GG.G:.
        0x0020:  8018 f8e0 1d74 0000 0101 080a 0425 4e6d  .....t.......%Nm
        0x0030:  0382 68a1 4745 5420 2f71 7565 7374 696f  ..h.GET./questio
        0x0040:  6e73 2048 5454 502f 312e 310d 0a48 6f73  ns.HTTP/1.1..Hos
        0x0050:  743a 2073 6572 7665 7266 6175 6c74 2e63  t:.serverfault.c
        0x0060:  6f6d 0d0a 5573 6572 2d41 6765 6e74 3a20  om..User-Agent:.
        0x0070:  4d6f 7a69 6c6c 612f 352e 3020 2858 3131  Mozilla/5.0.(X11
        0x0080:  3b20 553b 204c 696e 7578 2069 3638 363b  ;.U;.Linux.i686;

tcpdump -qns 0 -A -r serverfault_request.pcap

14:29:33.256929 IP 10.2.4.243.41997 > 69.59.196.212.80: tcp 1097
E..}..@.@.c.
...E;...^M.P..^w.G.......t.....
.%.}..l.GET /questions HTTP/1.1
Host: serverfault.com

There are many other tools for reading and getting stats, extracting payloads and so on. A quick look on the number of things that depend on libpcap in the debian package repository gives a list of 50+ tools that can be used to slice, dice, view, and manipulate captures in various ways.

For example.

Ssl – My IIS server won’t serve SSL sites to some browsers

Maybe a problem with the underlying cert, or cert chain?

You try some of the SSL validation tools out there to rule that out. I would start with the IIS SSL Diag tool: http://www.microsoft.com/en-ca/download/details.aspx?id=674

Then maybe some of these: https://www.digicert.com/util/ http://www.digicert.com/help/ http://www.sslshopper.com/ssl-checker.html https://ssl-tools.verisign.com/#home

Best Answer

Related Solutions

How to read pcap files in a friendly format

Ssl – My IIS server won’t serve SSL sites to some browsers

Related Topic