FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 11-12-2010, 02:59 PM
Gerrard Geldenhuis
 
Default Decrypting SSL for 389-ds

Hi
I am trying to decrypt SSL traffic capture with tcpdump in wireshark. A quick google turned up a page that said the NSS utils does not allow you to expose your private key. Is there different way or howto that anyone can share to help decrypt SSL encrypted traffic for 389?
*
Regards


__________________________________________________ ______________________

In order to protect our email recipients, Betfair Group use SkyScan from

MessageLabs to scan all Incoming and Outgoing mail for viruses.



__________________________________________________ ______________________

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-12-2010, 03:03 PM
David Boreham
 
Default Decrypting SSL for 389-ds

On 11/12/2010 8:59 AM, Gerrard Geldenhuis wrote:



I am trying to decrypt SSL traffic capture
with tcpdump in wireshark. A quick google turned up a page
that said the NSS utils does not allow you to expose your
private key. Is there different way or howto that anyone can
share to help decrypt SSL encrypted traffic for 389?





I think you're confused about the private key : you had to have had
the private key in order to configure it in the server.

So find the file, and feed that to Wireshark. Note that WS can not
currently decrypt certain ciphers (and it won't simply tell you that
it can't -- instead you waste days of your time before the penny
drops). Hopefully your client is not negotiating one of those.









--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-12-2010, 03:21 PM
Gerrard Geldenhuis
 
Default Decrypting SSL for 389-ds

Hi David,
I created a new certificate datase with certutil, and I can view the private key fingerprints with certutil -d . -K but I can’t actually extract the private key from the certutil database. I can create a certificate sign request using certutil again. I thus have the private key but it is “hidden” from me.
*
Regards
*
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of David Boreham
Sent: 12 November 2010 16:04
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Decrypting SSL for 389-ds
*
On 11/12/2010 8:59 AM, Gerrard Geldenhuis wrote:
I am trying to decrypt SSL traffic capture with tcpdump in wireshark. A quick google turned up a page that said the NSS utils does not allow you to expose your private key. Is there different way or howto that anyone can share to help decrypt SSL encrypted traffic for 389?

I think you're confused about the private key : you had to have had the private key in order to configure it in the server.
So find the file, and feed that to Wireshark. Note that WS can not currently decrypt certain ciphers (and it won't simply tell you that it can't -- instead you waste days of your time before the penny drops). Hopefully your client is not negotiating one of those.





__________________________________________________ ______________________

In order to protect our email recipients, Betfair Group use SkyScan from

MessageLabs to scan all Incoming and Outgoing mail for viruses.



__________________________________________________ ______________________

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-12-2010, 03:23 PM
Rich Megginson
 
Default Decrypting SSL for 389-ds

Gerrard Geldenhuis wrote:
>
> Hi
>
> I am trying to decrypt SSL traffic capture with tcpdump in wireshark.
> A quick google turned up a page that said the NSS utils does not allow
> you to expose your private key. Is there different way or howto that
> anyone can share to help decrypt SSL encrypted traffic for 389?
>
You might also try /usr/bin/ssltap
>
>
>
> Regards
>
>
> __________________________________________________ ______________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> __________________________________________________ ______________________
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-12-2010, 03:27 PM
David Boreham
 
Default Decrypting SSL for 389-ds

On 11/12/2010 9:21 AM, Gerrard Geldenhuis wrote:



I
created a new certificate datase with certutil, and I can
view the private key fingerprints with certutil -d . -K but
I can’t actually extract the private key from the certutil
database. I can create a certificate sign request using
certutil again. I thus have the private key but it is
“hidden” from me.





I bet there is a way to get the private key out, but I have no idea
how (the very mention of certutil is giving me flashbacks..).
Perhaps you can just create a key pair with openssl and import the
pkcs bits into the NSS key store ?









--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 11-12-2010, 03:28 PM
Rich Megginson
 
Default Decrypting SSL for 389-ds

Gerrard Geldenhuis wrote:
>
> Hi David,
>
> I created a new certificate datase with certutil, and I can view the
> private key fingerprints with certutil -d . -K but I can’t actually
> extract the private key from the certutil database. I can create a
> certificate sign request using certutil again. I thus have the private
> key but it is “hidden” from me.
>
Use pk12util to create a pkcs12 file - then use openssl pkcs12 to
extract the private key. pk12util -H and man pkcs12 for more info.
>
> Regards
>
> *From:* 389-users-bounces@lists.fedoraproject.org
> [mailto:389-users-bounces@lists.fedoraproject.org] *On Behalf Of
> *David Boreham
> *Sent:* 12 November 2010 16:04
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Decrypting SSL for 389-ds
>
> On 11/12/2010 8:59 AM, Gerrard Geldenhuis wrote:
>
> I am trying to decrypt SSL traffic capture with tcpdump in wireshark.
> A quick google turned up a page that said the NSS utils does not allow
> you to expose your private key. Is there different way or howto that
> anyone can share to help decrypt SSL encrypted traffic for 389?
>
>
> I think you're confused about the private key : you had to have had
> the private key in order to configure it in the server.
> So find the file, and feed that to Wireshark. Note that WS can not
> currently decrypt certain ciphers (and it won't simply tell you that
> it can't -- instead you waste days of your time before the penny
> drops). Hopefully your client is not negotiating one of those.
>
>
>
> __________________________________________________ ______________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> __________________________________________________ ______________________
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 08:33 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org