debugging TLS with wireshark and a custom application ?
Hi!
My question is: can dovecot be used to debug/decrypt TLS sessions ?
The reason I'm asking:
A custom application wants to speak IMAP with TLS with a dovecot instance.
It fails, and the error message is, unfortunatly, not very helpful. tcpdump shows that the session is established, but fails. The custom application says error 60000, not much more.
There is a way to decode TLS sessions in some cases:
https://wiki.wireshark.org/TLS
using firefox and the enviroment variable SSLKEYLOGFILE.
Basically, the TLS client (firefox), while negotiating keys with the other side, writes those logfiles to a logfile specified by SSLKEYLOGFILE and at the same time, wireshark is used to capture / write the pcap of the session.
Then wireshark can be used to decode the contents of the TLS-encrypted session.
Is something similiar possible with dovecot as the server and from the server side ?
Is, by chance, the session=<...> value already such a key so that a tcpdump pcap file would be able to descrypt that session ?
Sep 29 08:51:30 imap-login: Info: Login: user=<someuser>, method=PLAIN, rip=<someip>, lip=<someotherip>, mpid=63667, TLS, session=<GGF0Nm6wxy0qAQHoAAMAAwAAAAAAAAAB>
-- pi@opsec.eu +49 171 3101372 Now what ?
On 30/09/2020 18:06 Kurt Jaeger dovecot@opsec.eu wrote:
Hi!
My question is: can dovecot be used to debug/decrypt TLS sessions ?
The reason I'm asking:
A custom application wants to speak IMAP with TLS with a dovecot instance.
It fails, and the error message is, unfortunatly, not very helpful. tcpdump shows that the session is established, but fails. The custom application says error 60000, not much more.
There is a way to decode TLS sessions in some cases:
https://wiki.wireshark.org/TLS
using firefox and the enviroment variable SSLKEYLOGFILE.
Basically, the TLS client (firefox), while negotiating keys with the other side, writes those logfiles to a logfile specified by SSLKEYLOGFILE and at the same time, wireshark is used to capture / write the pcap of the session.
Then wireshark can be used to decode the contents of the TLS-encrypted session.
Is something similiar possible with dovecot as the server and from the server side ?
Is, by chance, the session=<...> value already such a key so that a tcpdump pcap file would be able to descrypt that session ?
Sep 29 08:51:30 imap-login: Info: Login: user=<someuser>, method=PLAIN, rip=<someip>, lip=<someotherip>, mpid=63667, TLS, session=<GGF0Nm6wxy0qAQHoAAMAAwAAAAAAAAAB>
-- pi@opsec.eu +49 171 3101372 Now what ?
Hi!
If rawlogs did not have a bug, you would be able to use that to log what the client is sending/receiving.
But, unfortunately that does not work, it's broken with TLS, so you need to workaround this bit:
return from passdb
proxy_maybe=y host=127.0.0.2
to connect to localhost again, unencrypted. then add
protocol imap { rawlog_dir=%h/rawlogs/ }
then create rawlogs directory under user home directory, with mode 0777, and it should store input/output transcripts per session.
remember to disable these after using them!
Aki
On Wed, 30 Sep 2020, Kurt Jaeger wrote:
My question is: can dovecot be used to debug/decrypt TLS sessions ?
The reason I'm asking:
A custom application wants to speak IMAP with TLS with a dovecot instance.
If it's happening during the handshake (i.e. IMAP/POP hasn't even started) you can try debugging the interaction by using "openssl s_server" on an alternate port with the same SSL parameters used by your dovecot. It's not the full-fledged environment you're trying to test but may expose the problem.
Joseph Tam jtam.home@gmail.com
participants (3)
-
Aki Tuomi
-
Joseph Tam
-
Kurt Jaeger