no tls sip packets showing - sngrep 1.6.0, openssl 1.1.1, debian 11

[adamlau]

Hi, I'm trying to use sngrep to view SIP traffic over TLS. I can see SIP traffic in wireshark with decryption using private key. In sngrep I don't see any SIP traffic using the same private key. I can see unencrypted traffic fine. I can confirm from wireshark that the ssl handshake is using tlsv1.2 with TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D

These are the versions installed: sngrep - compiled from source

sngrep -V
sngrep - 1.6.0
Copyright (C) 2013-2018 Irontec S.L.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
* Compiled with OpenSSL support.
* Compiled with Wide-character support.
* Compiled with Perl Compatible regular expressions support.`

openssl version OpenSSL 1.1.1n 15 Mar 2022

debian version

lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:    11
Codename:   bullseye

Executing sngrep with: sngrep -k <path/to/privkey.pem> host <partner.sip.ip.address>

What I've done:

• compiled the code with tls debugging on #define TLS_DEBUG 1 in capture_openssl.c and can see it parsing out the tls handshake and application data packets.
• checked wireshark to see that a sngrep supported cipher was being used

It seems to go through the logic in tls_process_record_handshake and do ClientHello, ServerHello and ClientKeyExchange. It picks up the correct client and server randoms (compared to what's seen in wireshark) and also prints out all the tls info e.g. client_write_key, server_write_key, etc

In the sngrep UI none of the expected TLS traffic shows. If I change the filter to listen to unencrypted traffic on port 5060 then sngrep displays the SIP traces as expected.

I can supply a pcap from wireshark if required.

[Kaian]

Hi!

Thanks for the detailed bug report!

If you can send me a sample pcap and key (kaian at irontec dot com), it would help a lot for debugging this one. I can compare each step output with wireshark to check when the output differs.

Thanks!!

[Kaian]

Thanks for the sample data!

Looks like GCM decrypting is not properly implemented in sngrep openssl capture code, but gnutls version is actually working, so if you have the urgent need, you can compile your own sngrep with --with-gnutls while I check where the problem is.

Regards!

[adamlau]

Thanks Kaian, compiling with --with-gnutls worked for me. On Debian 11 Buster I also had to install the following packages to satisfy ./configure:

• libgnutls28-dev
• libgcrypt20-dev

Thanks again for this amazing tool!

[Kaian]

Above commit should fix the implementation of GCM cipher with openssl if you want to give it a try. We never use TLS decrpyt in sngrep, so it looks like it've never worked before.

Thanks a lot for taking the time for the detailed bug report, providing sample data and feedback!!

[adamlau]

Can confirm that commit fixed the issue for me.

Kind regards

[Kaian]

Thanks for the confirmation! I'm closing this, it will be included in next release (no release date yet)