Hi there
Im a IT trainee working on my final school project. For that i have a complete Splunk setup with Indexer Cluster, Search Head Cluster, Deployment Server and a HA proxy, everything running on CentOS 7.6. The Universal Forwarders are installed on Winodws Server 2016 and Windows 10 Enterprise.
The communication between Forwarders and Peer nodes are configured with SSL, using self signed certificates. This communication i can capture with wireshark, from my Windows laptop, by SSH to a Peer node, run a tcpdump and pipe it back to Wireshark on my laptop. I can see Hello messages, key exchange, everything. What i would like to do, is to decrypt the traffic and show the data in clear text in Wireshark. Im using Diffie Hellman for the key exchange, so the RSA private key wont work.
I have read a lot of guides all of them showing how to do with browser traffic, all telling to log the 'pre master key' to a file and then use that in Wireshark. But i have not found a way to do it, when its another aplication.
I found this on Stack exchange, but i admit, its a bit out of my league of understanding. https://security.stackexchange.com/questions/80158/extract-pre-master-keys-from-an-openssl-application
I tried the LD_PRELOAD. Got the code from here: https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c Could not compile it first time, but when i included the support for old versions, it worked. But im not sure how to use it. Ive tried starting Splunk like this
SSLKEYLOGFILE=/tmp/premaster.txt LD_PRELOAD=./libsslkeylog.so /opt/splunk/bin/splunk start
But with no luck. Anyone tried this before or maybe someone has a better understanding about this than me...or know another solution to log the 'pre master key'. Thanks in advance.
Michael
... View more