search

dotpcap / packetnet

Official repository - High performance .Net assembly for dissecting and constructing network packets such as ethernet, ip, tcp, udp etc.
Mozilla Public License 2.0
482 stars 104 forks source link

TLS decoding support #193

Open chmorgan opened 2 years ago

chmorgan commented 2 years ago

Thoughts on how we might implement tls decoding like wireshark can perform? Can we reuse anything wireshark has done? Should we aim for a purely managed approach? Build on packetnet-connections?

chmorgan commented 1 year ago

@PhyxionNL @kayoub5 thoughts on how we might get TLS support?

kayoub5 commented 1 year ago

without user provided certificates (either client or server) the only thing you can support is authentication only tls (payload not encrypted)

chmorgan commented 1 year ago

@kayoub5 I think we'd assume the user would provide certificates yep.

raffaeler commented 1 year ago

I investigated this topic and want to provide some feedback.

In modern TLS, the private key of the certificate alone does not allow the full decryption. If the traffic uses the RSA keys the certificate is enough, however if Diffie Helman ephemeral keys are used, it is necessary to have the negotiated key that changes for every session. Anyway, decryption is possible because the libraries used from the two major browsers (Firefox and Chrome) may be enabled to write the secrets (for debugging purposes) using the SSLKEYLOGFILE environment variable. Unfortunately this method is not currently supported by HttpClient and other libraries/framework but some workaround can be found at the provided link. A good video on how decryption works inside Wireshark can be found here.

I believe it would be very valuable having the ability to decrypt TLS traffic. If we skip for a moment the problem of retrieving the encryption key, the very first thing to do would be a TLS/SSL packet class (dissector) matching all the TLS and SSL versions. With those, we should able to see the dump that Wireshark shows when the descryption is not enabled.

When writing the new dissectors, it is important considering the differences when it comes to HTTP/2, QUIC and the upcoming HTTP/3 (which is already available in .NET but off by default) as it uses UDP. After the required dissectors are there, the decryption could be done by manually feeding the key or by reading the file obtained with SSLKEYLOGFILE which hopefully will be come standard for .NET and other libraries.

Some more detail on how TLS works:

twa890 commented 9 months ago

I would love to see this support added. Provide a way to access the SSKEYLOGGER file, similar to how wireshark does it (point to a file). Then decrypt it. BACnet SC traffic is what I would like to decrypt and parse. I am open to compensating someone to implement this.

raffaeler commented 9 months ago

It looks like the dotnet team is working on that and the decryption support is coming in .NET 9 https://github.com/dotnet/runtime/issues/37915 You can follow the work in progress here: https://github.com/orgs/dotnet/projects/347