debugging TLS with wireshark and a custom application ?

Aki Tuomi aki.tuomi at open-xchange.com
Wed Sep 30 19:15:21 EEST 2020 

> On 30/09/2020 18:06 Kurt Jaeger <dovecot at opsec.eu> wrote:
> 
>  
> Hi!
> 
> My question is: can dovecot be used to debug/decrypt TLS sessions ?
> 
> The reason I'm asking:
> 
> A custom application wants to speak IMAP with TLS with a dovecot
> instance.
> 
> It fails, and the error message is, unfortunatly, not very helpful.
> tcpdump shows that the session is established, but fails. The custom
> application says error 60000, not much more.
> 
> There is a way to decode TLS sessions in some cases:
> 
> https://wiki.wireshark.org/TLS                                                  
> 
> using firefox and the enviroment variable SSLKEYLOGFILE.
> 
> Basically, the TLS client (firefox), while negotiating keys with the
> other side, writes those logfiles to a logfile specified by SSLKEYLOGFILE
> and at the same time, wireshark is used to capture / write the pcap
> of the session.
> 
> Then wireshark can be used to decode the contents of the TLS-encrypted
> session.
> 
> Is something similiar possible with dovecot as the server and
> from the server side ?
> 
> Is, by chance, the session=<...> value already such a key so that
> a tcpdump pcap file would be able to descrypt that session ?
> 
> Sep 29 08:51:30 imap-login: Info: Login: user=<someuser>, method=PLAIN, rip=<someip>, lip=<someotherip>, mpid=63667, TLS, session=<GGF0Nm6wxy0qAQHoAAMAAwAAAAAAAAAB>
> 
> -- 
> pi at opsec.eu            +49 171 3101372                    Now what ?

Hi!

If rawlogs did not have a bug, you would be able to use that to log what the client is sending/receiving.

But, unfortunately that does not work, it's broken with TLS, so you need to workaround this bit:

return from passdb 

proxy_maybe=y host=127.0.0.2

to connect to localhost again, unencrypted. then add

protocol imap {
  rawlog_dir=%h/rawlogs/
}

then create rawlogs directory under user home directory, with mode 0777, and it should store input/output transcripts per session.

remember to disable these after using them!

Aki

More information about the dovecot mailing list