TLS Session keys for built in Packet Logger

yikogor · Dec 8, 2021, 10:26 PM

Hi, I'm trying to troubleshoot an issue with my Smart TV set.

I Use pfSense as my router.

I'm using Diagnostics->Packet capture to monitor the traffic from my TV to my media portal, but some of it is TLS encrypted.

I know that if I have the TLS session keys for my trace I can look at the unencrypted version of the traffic, where does pfSense store the session keys for the packet capture currently in progress?

Many thanks

stephenw10 · Dec 9, 2021, 12:09 AM

It doesn't. The TLS session would be between the TV and the media server, pfSense never sees inside that or has the keys.

Steve

yikogor · Dec 9, 2021, 7:06 AM

@stephenw10 Ah, so it's not like when I'm capturing traffic on the desktop using wireshark.

Ok no worries, I wasn't 100% sure what was going on under the hood on PF sense, I thought that it might be grabbing the packets in a manner that allowed this.

Thanks anyway.

I think I have a spare switch somewhere that can do traffic mirroring, might have to try using that instead.

johnpoz · Dec 9, 2021, 7:08 AM

@yikogor said in TLS Session keys for built in Packet Logger:

might have to try using that instead.

That is not going to be any different.. Doing MITM on such a connection is bit more involved than you think ;)

The switch isn't going to be seeing anything different than pfsense does on that capture. Your in the middle of the TLS connection.

It for sure can be done, but its a bit more involved then just spanning a port on switch ;)

stephenw10 · Dec 9, 2021, 1:16 PM

Yes, exactly, a mirror port will be the same, you would still need the keys from one of the end points to decrypt anything. When you run it on a desktop and that host is also the end point of the session then the keys are present on that system. Though I've never tried decrypting that in Wireshark myself I could imagine it's at least possible.

Steve

yikogor · Dec 9, 2021, 2:06 PM

@stephenw10 It's fairly easy to capture the TLS when your packet capturing on a desktop using wireshark.

All you need to do (Linux too) is to set the SSLKEYLOGFILE variable to somewhere you have access too, then using the browser on that system, the session keys will get dumped to said location.

All you then do is point wireshark at the saved sessions file, and load in the packet capture taken at the same time as the session keys.

https://resources.infosecinstitute.com/topic/decrypting-ssl-tls-traffic-with-wireshark/

I'm thinking what I might have to do then, because now I think about it, a mirror won't work either.

I'm probably going to have to put a proxy on the machine I'm packet capturing from and see if I can get the proxy to dump the session keys as the traffic flows over it.

Do you think that might be something that pfSense could do?

johnpoz · Dec 9, 2021, 2:39 PM

@yikogor said in TLS Session keys for built in Packet Logger:

can get the proxy to dump the session keys as the traffic flows over it.

No.. Not really.. Since again the proxy is not the actual endpoint either for tls. Unless your doing mitm for ssl?

The problem with doing it for say a TV, or such a device is you really have no way to even present a fake cert that they will trust because, you do not normally have access to tell the tv to trust the CA you create certs with.

While you can get the master secret from sniffing the session, how do you expect to get the random secret your TV generates?

Unless you have ability to get this info from your TV, or have the TV trust a cert for the domain its trying to go to that you actually created.. What your asking is more difficult than you would think ;) It was designed that way, if was easy as you thinking it is, anyone in the path of the tls traffic could just decrypt it ;)

stephenw10 · Dec 9, 2021, 3:36 PM

It may be possible to tell the TV to use the proxy but I wouldn't be surprised it you can't. The settings exposed to the user tend to be very limited in these things.

What is the problem you're actually trying to solve here?

Steve

yikogor · Dec 9, 2021, 8:52 PM

@stephenw10 Well I have 3 TV sets all with the same OS on, and on one of them at least (The lower version of the 3) I've actually managed to break in to it and get a linux console on the device, so I'm actually looking now to see if it's using a TLS version that I can change the SSL keylogfile variable on, and if I can, then I should in theory be able to dump the session keys to a USB stick and mirror the actual data stream to a PC to record with Wireshark.

Ironically however, based on some info in the forums for the media player, I actually tried a URL that the TV may be using in a PC browser, and got the same as on my TV, and my initial findings actually show the issue to be at the media players app supplier's public web version of the app.

Unfortunately, I mentioned it in my thread post that the "app in question" seems to be broken, and the back lash I got from the faithful supporters of the app for daring to call it into disrepute is... well shall we say mildly entertaining... (Read that as snowflakes are annoying me again) :-)

The actual problem I'm trying to solve is to see exactly what the issue/error is on the wire with the HTTP protocol. The player is html based, but since the TV is a sealed system/browser, there is no way to access the browser console/tools to investigate what is going on, and the browser debugger port is not open for me to connect a remote debugger too either, so the only way I can see what's going on right now is to get my pfSense router to dump the packet stream as it flows over my lan, which even then only get's me half the story I still don't get to see any Javascript crashes or anything. Unfortunately the traffic between the player and my media server instance is all TLS, so really I can't see a damn thing, which makes debugging it and trying to find the root cause to the faliure darn near impossible.

As for using a proxy, I suspect I can get the TV to at least use a socks one, as I have static DHCP leases set up by MAC address for every device on my lan, and since I have control of the entire DHCP process I can tell ISC-DHCPD to set any parameters I want in the DHCP communication.

stephenw10 · Dec 9, 2021, 9:02 PM

Hmm, I would probably approach this by trying to run the app on something else and debugging from there.

You would need to use an http/s proxy to be able to see inside the session.

Steve

yikogor · Dec 9, 2021, 10:05 PM

@stephenw10 Yep, got a few ideas I'm exploring now, thanks for the assist however.

I did read an article about using Squid on pfSense to get data that was decryptable in wireshark, but for the life of me know can I heck as like find it.

:-)