![]() Since Mavericks, the Transport Security Layer disables the ignores the option to set the cipher suite. Unfortunately, if you are on a Mac, the curl request will not work. With the listed ciphers from the server, form the curl request and specify a compatible cipher: $ curl -v -tlsv1.2 -cipher rsa_aes_128_sha -cert client.p12:weblogic \ > On the server, list the available ciphers and narrow down to the relevant ones that will work for Wireshark inspecting: $ openssl ciphers | tr ':' '\n' | grep AES | egrep -v 'DH|PSK' ![]() Traffic encrypted with any version of Diffie-Hellman will not work. ![]() To properly capture 2-way authentication and be able to decrypt the tcp stream in Wireshark, the traffic must be encrypted with RSA. If you want to be specific about the port then a more advanced command: $ sudo tcpdump -i any -s0 -w output.pcap \ > '(host 10.201.100.100 or 10.201.100.101) and port 443' Use the ELB IP addresses to form the tcpdump command: $ sudo tcpdump -i any -s0 -w output.pcap host 10.201.100.100 or 10.201.100.101 In my environment, the backend server is behind an AWS Elastic Load Balancer so we need to find the IP addresses of the ELB: $ host .com To convert a PEM file to PKCS12 format: $ openssl pkcs12 -export -out server.p12 \ > -inkey server.key \ > -in server.pem \ > -certfile server-cacert.pem To convert a JKS file to PKCS12 format: $ keytool -importkeystore -srckeystore client.jks \ > -srcstorepass weblogic \ > -destkeystore client.p12 \ > -deststorepass weblogic \ > -srcalias client \ > -deststoretype pkcs12 The client in this case is a Tomcat server but sometimes a JMeter client which is used for testing. ![]() ![]() With Wireshark it is preferred that we have PKCS12 format files so we need to convert our certificates to that format. The following are notes that I took to show how to use Wireshark to inspect the tcp stream of encrypted traffic.įirst, we need to have both client and server certificates. Inspect 2-way authentication with Tcpdump and Wireshark Īt work, I run an Nginx server that is configured for 2-way authentication. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |