Decryption TLS1.3 on server-side (apache24)

urameshi

New Member


Messages: 3

Hello,
on the Centos 8 in the mod_ssl is function that stores pre-master secret keys in a file, and i load this file to wireshark and decrypt stored traffic over TLS 1.3.. It's simple, I set an environment variable called "SSLKEYLOGFILE" on systemd of apache, so it works on the Centos 8. But its does not work on the FreeBSD. I trying put SSLKEYLOGFILE variable to rc script for apache (/usr/local/etc/rc.d/apache24), and when i restart the apache and load web page, so SSLKEYLOG file is created but file is empty. I did try compare the mod_ssl on the FreeBSD and on the Centos 8:

Centos 8:
#strings mod_ssl.so | grep -i "mod_ssl\/"
mod_ssl/2.4.37

#strings mod_ssl.so | grep -i "sslkeylogfile"
SSLKEYLOGFILE
AH10226: Could not open log file '%s' configured via SSLKEYLOGFILE

FreeBSD 12.2:
#strings mod_ssl.so | grep -i "mod_ssl\/"
Amod_ssl/2.4.48

#strings mod_ssl.so | grep -i "sslkeylogfile"
NOTHING

It's posible, that mod_ssl on FreeBSD 12.2 do not have function for logging pre-master secret keys? Have you got any idea how can i decrypt TLS1.3 on FreeBSD with apache24?
Thanks.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,618
Messages: 37,958

I set an environment variable called "SSLKEYLOGFILE" on systemd of apache, so it works on the Centos 8
That isn't a standard environment variable for mod_ssl


After a bit of digging, this is actually a feature of OpenSSL; SSL_CTX_set_keylog_callback(3)
It mentions that applications can use this for debugging purposes. Which is likely why this isn't turned on by default on FreeBSD (it's rather a big deal if you leak your keys in a production environment). So you probably have to build www/apache24 from ports with the DEBUG option set.

I trying put SSLKEYLOGFILE variable to rc script for apache (/usr/local/etc/rc.d/apache24)
Don't edit that file (never edit any of the rc(8) files!). That's not where you set environment variables for Apache. Use apache24_envvars in /etc/rc.conf.
 
OP
U

urameshi

New Member


Messages: 3

That isn't a standard environment variable for mod_ssl


After a bit of digging, this is actually a feature of OpenSSL; SSL_CTX_set_keylog_callback(3)
What is mean? The mod_ssl depends on openssl, so it's possible setting it for store to file? I didn't find any option in /etc/ssl/openssl.cnf and anywhere in apache.

Don't edit that file (never edit any of the rc(8) files!). That's not where you set environment variables for Apache. Use apache24_envvars in /etc/rc.conf.
Now i use /etc/rc.conf

Thank you for answer.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,618
Messages: 37,958

What is mean? The mod_ssl depends on openssl, so it's possible setting it for store to file? I didn't find any option in /etc/ssl/openssl.cnf and anywhere in apache.
I added some extra information later on:
It mentions that applications can use this for debugging purposes. Which is likely why this isn't turned on by default on FreeBSD (it's rather a big deal if you leak your keys in a production environment). So you probably have to build www/apache24 from ports with the DEBUG option set.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,618
Messages: 37,958

Yeah, you should also keep in mind that RedHat (and thus CentOS) typically has a lot of custom patches on everything.
 
OP
U

urameshi

New Member


Messages: 3

I added some extra information later on:
After a bit of digging, this is actually a feature of OpenSSL; SSL_CTX_set_keylog_callback(3)
It mentions that applications can use this for debugging purposes. Which is likely why this isn't turned on by default on FreeBSD (it's rather a big deal if you leak your keys in a production environment). So you probably have to build www/apache24 from ports with the DEBUG option set.
I tryed reinstall the apache24 with LOG_DUBUG option, but it does not working it, so it does not store pre-master keys to file.

Yeah, you should also keep in mind that RedHat (and thus CentOS) typically has a lot of custom patches on everything.
Yes, I agree.

i think you either need this https://github.com/bozzzzo/sslkeylog and preload it for the apache process
or this https://gist.github.com/schierlm/fef3d79818f5561cd87991c89b81122f to patch mod_ssl itself

if you just need something simple you could reverse proxy all https requests to same vhost non ssl on a local interface and tcpdump in between
Thank you for tips, I tryed to set the reverse proxy in the vhost and redirect ssl traffics to non ssl traffics to localhost to port 8080, setted the apache to listen on the port 8080 and created a vhost for this the port number, and stored traffics with the tcpdump to a file. For my purpose it is the eysyest option, that is fully working.
 
Top