Getting Data In

How to log pre master key to SSLKEYLOGFILE?

riisgaard80
New Member

Hi there

Im a IT trainee working on my final school project. For that i have a complete Splunk setup with Indexer Cluster, Search Head Cluster, Deployment Server and a HA proxy, everything running on CentOS 7.6. The Universal Forwarders are installed on Winodws Server 2016 and Windows 10 Enterprise.

The communication between Forwarders and Peer nodes are configured with SSL, using self signed certificates. This communication i can capture with wireshark, from my Windows laptop, by SSH to a Peer node, run a tcpdump and pipe it back to Wireshark on my laptop. I can see Hello messages, key exchange, everything. What i would like to do, is to decrypt the traffic and show the data in clear text in Wireshark. Im using Diffie Hellman for the key exchange, so the RSA private key wont work.

I have read a lot of guides all of them showing how to do with browser traffic, all telling to log the 'pre master key' to a file and then use that in Wireshark. But i have not found a way to do it, when its another aplication.

I found this on Stack exchange, but i admit, its a bit out of my league of understanding.
https://security.stackexchange.com/questions/80158/extract-pre-master-keys-from-an-openssl-applicati...

I tried the LD_PRELOAD. Got the code from here: https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c
Could not compile it first time, but when i included the support for old versions, it worked. But im not sure how to use it. Ive tried starting Splunk like this

SSLKEYLOGFILE=/tmp/premaster.txt LD_PRELOAD=./libsslkeylog.so /opt/splunk/bin/splunk start

But with no luck. Anyone tried this before or maybe someone has a better understanding about this than me...or know another solution to log the 'pre master key'.
Thanks in advance.

Michael

Labels (1)
0 Karma

mackermann
Engager

I do not have the answer, but am stuck at what appears to be the same place Michael is.

I start SPLUNK with the SSLKEYLOGFILE variable and the LD_PRELOAD. With that installed, SPLUNK should be writing to the SSLKEYLOGFILE, but it is not.

If i use that same SPLUNK Instance, as a client (e.g. using curl), the SSLKEYLOGFILE does get written to.

I get no errors, warnings or even info, in splunkd.log.

Not sure where to go or what to try next?

0 Karma

VigilanteWang
New Member

I tried the gdb way on that page. It turns out that the splunk uses its own complied openssl lib in the $SPLUNK_HOME/lib/libssl.so.X.X.X, so the code doesn't work since it puts the breakpoint to the system version.

Tested under splunkforwarder 8.1.3 in Debian 11

1. Compile an OpenSSL with debugging symbols as mentioned in the article.

Here is complete guide.  Download the 1.0.2 source code, and get into the extracted folder, The option I used:

 

./config shared -d  -Wl,-rpath=/usr/local/ssl/lib -Wl,--enable-new-dtags
make
make test
sudo make install

 

2.  Install the "apt-get install electric-fence" package as indicated in the -d option.

3.  Go to /usr/local/ssl/lib, copy the libssl.so.1.0.0 and the libcrypto.so.1.0.0 to $SPLUNK_HOME/lib, make backup of the originial ones. Then duplicate the 2 files and rename them to libssl.so and libcrypto.so( As you can see in the folder, splunk actually puts 2 copies of the same file which was originally  soft links).

4. (optional) edit the manifest file in the $SPLUNK_HOME, replace the sha256 hash of the original lib files with the new ones'.

5. Restart the splunk in normal way. Get the pid of splunkd, there are 2 of them, pick the first one.

6. Install and config the gdb according to the instruction. Then download the sslkeylog.py , follow the "Recommended configuration" to configure the gdbinit. Then run:

 

SSLKEYLOGFILE=premaster.txt gdb -batch -ex skl-batch -p <your splunkd pid>

 

 Hope this help

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...