On Thu, 13 Oct 2016 10:35:14 -0500 Bryan Holloway <bryan@shout.net> wrote:
[...]
Is there a way to see the IMAP commands coming from the client? I've tried looking at PCAPs, but of course they're encrypted so I can't see the actual dialog going on between the server and client. I didn't see an obvious way to do this in the docs.
If you have access to the SSL/TLS key (IOW, the private part of the cert) the server uses to secure IMAP connections you can dump the IMAP traffic using the
ssldump
utility (which builds ontcpdump
).I do, but the client is using a DH key exchange so I only have the server-side private key.
Tried that using Wireshark's decoder features and ran into this problem. I'm assuming I'd run into the same using ssldump, but I'll give it a shot!
I think DH is not the culprit: just to be able to actually decode SSL traffic, you must have the server private key when you're decoding the SSL handshake phase -- to be able to recover the session keys, which you then use to decode the actual tunneled data.