Lekensteyn / wireshark-notes

Notes and captures for patching TLS in Wireshark (mirror of https://git.lekensteyn.nl/peter/wireshark-notes/)
9 stars 4 forks source link

Capture sslkey log file for QUIC traffic #1

Open Karthikdasari0423 opened 1 year ago

Karthikdasari0423 commented 1 year ago

Hi @Lekensteyn @hauke

First of all Thank you for such a great repo

i am trying to capture tls1.3 traffic on nginx which is using quic with boringssl https://github.com/Lekensteyn/wireshark-notes/blob/master/src/sslkeylog.py but i am unable to capture key log.

am i missing anything? Could you please help me to find out the issue

Do i need to config this module while building nginx? like # ./configure --add-module=path/to/wireshark-notes/module

Thank you

Karthikdasari0423 commented 1 year ago

root@ubuntu:~# nginx -V nginx version: nginx/1.23.4 (nginx-quic) built by gcc 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1) built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL) TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --build=nginx-quic --with-debug --with-http_v3_module --with-stream_quic_module --with-cc-opt=-I/src/boringssl/include --with-ld-opt='-L/src/boringssl/build/ssl -L/src/boringssl/build/crypto'

root@ubuntu:~# service nginx status ● nginx.service - A high performance web server and a reverse proxy server Loaded: loaded (/lib/systemd/system/nginx.service; disabled; vendor preset: enabled) Active: active (running) since Thu 2023-01-12 16:50:56 UTC; 14min ago Docs: man:nginx(8) Process: 164067 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS) Process: 164077 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS) Main PID: 164080 (nginx) Tasks: 9 (limit: 19087) Memory: 7.0M CGroup: /system.slice/nginx.service ├─164080 nginx: master process /usr/sbin/nginx -g daemon on; master_process on; ├─164081 nginx: worker process ├─164082 nginx: worker process ├─164083 nginx: worker process ├─164084 nginx: worker process ├─164085 nginx: worker process ├─164086 nginx: worker process ├─164087 nginx: worker process └─164088 nginx: worker process

Jan 12 16:50:56 ubuntu systemd[1]: Starting A high performance web server and a reverse proxy server... Jan 12 16:50:56 ubuntu systemd[1]: Started A high performance web server and a reverse proxy server.

root@ubuntu:~# ps -eaf | grep nginx root 164080 1 0 16:50 ? 00:00:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on; www-data 164081 164080 0 16:50 ? 00:00:00 nginx: worker process www-data 164082 164080 0 16:50 ? 00:00:00 nginx: worker process www-data 164083 164080 0 16:50 ? 00:00:00 nginx: worker process www-data 164084 164080 0 16:50 ? 00:00:00 nginx: worker process www-data 164085 164080 0 16:50 ? 00:00:00 nginx: worker process www-data 164086 164080 0 16:50 ? 00:00:00 nginx: worker process www-data 164087 164080 0 16:50 ? 00:00:00 nginx: worker process www-data 164088 164080 0 16:50 ? 00:00:00 nginx: worker process root 164533 146943 0 17:06 pts/1 00:00:00 grep --color=auto nginx

root@ubuntu:~# gdb -q -ex 'py skl.start()' -p 164080 Attaching to process 164080 Reading symbols from /usr/sbin/nginx... Reading symbols from /lib/x86_64-linux-gnu/libdl.so.2... Reading symbols from /usr/lib/debug/.build-id/c0/f40155b3f8bf8c494fa800f9ab197ebe20ed6e.debug... Reading symbols from /lib/x86_64-linux-gnu/libpthread.so.0... Reading symbols from /usr/lib/debug/.build-id/7b/4536f41cdaa5888408e82d0836e33dcf436466.debug... [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Reading symbols from /lib/x86_64-linux-gnu/libcrypt.so.1... (No debugging symbols found in /lib/x86_64-linux-gnu/libcrypt.so.1) Reading symbols from /lib/x86_64-linux-gnu/libpcre.so.3... (No debugging symbols found in /lib/x86_64-linux-gnu/libpcre.so.3) Reading symbols from /lib/x86_64-linux-gnu/libz.so.1... (No debugging symbols found in /lib/x86_64-linux-gnu/libz.so.1) Reading symbols from /lib/x86_64-linux-gnu/libc.so.6... Reading symbols from /usr/lib/debug/.build-id/18/78e6b475720c7c51969e69ab2d276fae6d1dee.debug... Reading symbols from /lib64/ld-linux-x86-64.so.2... Reading symbols from /usr/lib/debug/.build-id/45/87364908de169dec62ffa538170118c1c3a078.debug... Reading symbols from /lib/x86_64-linux-gnu/libnss_files.so.2... Reading symbols from /usr/lib/debug/.build-id/45/da81f0ac3660e3c3cb947c6244151d879ed9e8.debug... 0x00007f957033b45c in __GI___sigsuspend (set=set@entry=0x7ffeae2823d0) at ../sysdeps/unix/sysv/linux/sigsuspend.c:26 26 ../sysdeps/unix/sysv/linux/sigsuspend.c: No such file or directory. Started logging SSL keys to /tmp/premaster.txt Breakpoint 1 at 0x55840ec4679e: file /src/boringssl/ssl/ssl_lib.cc, line 868. Breakpoint 2 at 0x55840ec46661: file /src/boringssl/ssl/ssl_lib.cc, line 835. Breakpoint 3 at 0x55840ec467d5: file /src/boringssl/ssl/ssl_lib.cc, line 877. Breakpoint 4 at 0x55840ec46d73: file /src/boringssl/ssl/ssl_lib.cc, line 1019. Breakpoint 5 at 0x55840ec46f26: file /src/boringssl/ssl/ssl_lib.cc, line 1052.

root@ubuntu:~# cat /tmp/premaster.txt

Automatically generated by sslkeylog.py

root@ubuntu:~#