I want to be able to capture and decrypt TLS traffic that one off my internal application (that I don't have access) makes to the internet. (For testing I am using Postman to create a request to a secure server.)
-
What I did was to add an Nginx as a reverse proxy.
-
I created a self-signed certificate with the next command:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -
I added the ssl configuration to the /etc/nginx/sites-enabled/default file the certificate.
server { # SSL configuration # listen 443 ssl default_server; ssl_certificate /home/mavi/nginx/keys/localhost.crt; ssl_certificate_key /home/mavi/nginx/keys/localhost.key; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. #try_files $uri $uri/ =404; proxy_pass https://myService.com; proxy_http_version 1.1; } } -
I added the key that I generated with OpenSSL in Wireshark Edit> Preferences > SSL > RSA Keys list.
- I create the request pointing to my proxy (HTTPS://127.0.0.1) and it redirects the request to the external service and I get a correct response.
- I captured the traffic made by the previews request but Wireshark it's not able to decrypt the traffic.
Why am I not able to decrypt the data if I am using an RSA key exchange?
I have been investigating (please correct me if I am wrong) the types of asynchronous encryption. I know that RSA sends the public key with its certificate to the client and then the client uses this public key to encrypt the data. Then when this encrypted data is sent to the server, it uses the private key to decrypt the information. So if I use this private key in Wireshark I should be able to decrypt the data, right?
Also, I have read that for security we have stopped using RSA and now we moved to use Diffie Hellman algorithms (ECDH, ECDHE DFH). Diffie Hellman and its variants don't use the private key anymore, it uses random session keys that it saves in RAM. (As a note to decrypt Diffie Hellman packages we need to add a global variable in the system $SSLKEYLOGFILE and import this file to Wireshark. This only works with Google Chrome, Firefox, CURL not for internal apps)
So I think that is why I am not able to decrypt the data. Because in the cipher's negotiation from my client and my server (both in my local computer) are using Diffie Hellman as the Asynchronous encryption even when I create an RSA certificate. I am guessing they are using Diffie Hellman because in the TLS handshake I see that they agree to use 0xc030
If I'm right then I should change my question to How can I specify the ciphers to use in Nginx configuration?
Right now my Nginx has the ssl_prefer_server_ciphers on; configuration.
I will add the TLS handshake so you can see the cipher's negotiation.
Client Hello
Server Hello
Cipher Renegotiation
Best Answer
TLS 1.2 with ECDHE-RSA-AES256-GCM-SHA384 has forward secrecy. Notice its presence on the intermediate level of Mozilla's cipher lists. Inability to decrypt with only the server key is a feature.
Extract the client keys as well. As this terminates TLS on nginx, get nginx's client keys. Absent any easy option to enable this, compile and load your own hooks. See for example Extracting openssl pre-master secret from nginx which makes use of someone's sslkeylog.c. Because OpenSSL's keylog API is known, such a library works for any client, including nginx with OpenSSL.
As usual, be careful of security and operational concerns when compiling third-party code. Should nginx not be a requirement, consider some other proxy where key logging is a feature like mitmproxy