• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Packet Capture Decryption

Scheduled Pinned Locked Moved General pfSense Questions
10 Posts 2 Posters 6.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    NOYB
    last edited by Mar 27, 2013, 12:40 AM

    Capturing encrypted SMTP traffic on the WAN interface and providing the private key in Wireshark it is decrypted just fine for a Windows Live email client session.  But cannot decrypt the capture of a pfSense Notify session.

    What is different about the pfSense SMTP client?  Itโ€™s as though it is not using the SMTP servers certificate.

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Mar 27, 2013, 5:46 PM

      Did the start of the client/server exchange in both cases look the same? (e.g. STARTTLS or straight SSL/TLS) You should be able to see the certificate negotiation and such at least.

      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • N
        NOYB
        last edited by Mar 27, 2013, 9:54 PM

        The same up through 6th packet (TLSv1 Server Hello).  After that they diverge a bit but both are successful at sending the message.  But Wireshark cannot decrypt the pfSense notify sent message even though both cases should be using the same cert and private key.

        The Wireshark  SSL Debug log has this line about DH key exchange being impossible to decrypt.
        Session from other SMTP client does not have that.  Guessing this is the issue.  But don't know how to change it so that it can be decrypted.

        
        dissect_ssl enter frame #13 (first time)
          conversation = 058D184C, ssl_session = 058D1CD0
          record: offset = 0, reported_length_remaining = 198
        dissect_ssl3_record: content_type 22 Handshake
        decrypt_ssl3_record: app_data len 134, ssl state 0x17
        packet_from_server: is from server - FALSE
        decrypt_ssl3_record: using client decoder
        decrypt_ssl3_record: no decoder available
        dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 
        ssl_decrypt_pre_master_secret session uses DH (17) key exchange, which is impossible to decrypt
        dissect_ssl3_handshake can't decrypt pre master secret
          record: offset = 139, reported_length_remaining = 59
        dissect_ssl3_record: content_type 20 Change Cipher Spec
        dissect_ssl3_change_cipher_spec
        packet_from_server: is from server - FALSE
        ssl_change_cipher CLIENT
          record: offset = 145, reported_length_remaining = 53
        dissect_ssl3_record: content_type 22 Handshake
        decrypt_ssl3_record: app_data len 48, ssl state 0x17
        packet_from_server: is from server - FALSE
        decrypt_ssl3_record: using client decoder
        decrypt_ssl3_record: no decoder available
        dissect_ssl3_handshake iteration 1 type 166 offset 150 length 16733742 bytes, remaining 198 
        
        
        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Mar 28, 2013, 1:10 PM

          Not sure I'd want to cripple it to make it less secureโ€ฆ :-)

          http://ask.wireshark.org/questions/17630/cant-decrypt-tlsv1-traffic

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • N
            NOYB
            last edited by Mar 28, 2013, 4:43 PM

            Not permanently no.  But temporarily for investigation yes.

            Where I'm head is trying to determine what is going on with port 587 with SSL/TLS enabled that prevents it from working.

            Now I'm guessing the reason has to do with the SMTP server config maybe not compatible with DH.
            Port 445 (smtps) uses tls wrappermode and port 587 (submission) uses tls security level encrypt.

            Where would this be changed in pfSense?  Thinking it may be easier to verify by temporarily changing pfSense test bed before going and messing around with the mail server config.

            Mail server config snipit.

            
            submission inet n       -       n       -       -       smtpd
              -o smtpd_tls_security_level=encrypt
              -o smtpd_sasl_auth_enable=yes
              -o smtpd_client_restrictions=permit_sasl_authenticated,reject
              -o milter_macro_daemon_name=ORIGINATING
            smtps     inet  n       -       n       -       -       smtpd
              -o smtpd_tls_wrappermode=yes
              -o smtpd_sasl_auth_enable=yes
              -o smtpd_client_restrictions=permit_sasl_authenticated,reject
              -o milter_macro_daemon_name=ORIGINATING
            
            
            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Mar 28, 2013, 4:51 PM

              Looks like in /etc/inc/smtp.inc we compose the fsockopen url with ssl:// if SSL is enabled, apparently there is also a tls:// prefix.

              Perhaps there needs to be an extra option to control the switch somewhere. Instead of an SSL checkbox, a drop-down: No Encryption / SSL / TLS

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • J
                jimp Rebel Alliance Developer Netgate
                last edited by Mar 28, 2013, 4:53 PM

                Or maybe it might need a nudge another wayโ€ฆ http://php.net/stream_socket_enable_crypto

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • N
                  NOYB
                  last edited by Mar 28, 2013, 9:15 PM

                  Hard coding TLS in /etc/smtp.inc does not seem to change the behavior for ether being able to decrypt or port 587 working.

                  1 Reply Last reply Reply Quote 0
                  • J
                    jimp Rebel Alliance Developer Netgate
                    last edited by Mar 29, 2013, 1:06 PM

                    There are also other choices there (sslv2, sslv3) do those make any difference?

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • N
                      NOYB
                      last edited by Mar 29, 2013, 6:36 PM

                      Tried those.  Don't recall the exact result but it did not work.

                      From some network captures it looks like pfSense always insists on "wrapper mode".  After the TCP connection is made pfSense immediately sends client hello and then ignores the initial STMP 220 response.

                      1 Reply Last reply Reply Quote 0
                      1 out of 10
                      • First post
                        1/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received