Getting Data In

How to log pre master key to SSLKEYLOGFILE

New Member

Hi there

Im a IT trainee working on my final school project. For that i have a complete Splunk setup with Indexer Cluster, Search Head Cluster, Deployment Server and a HA proxy, everything running on CentOS 7.6. The Universal Forwarders are installed on Winodws Server 2016 and Windows 10 Enterprise.

The communication between Forwarders and Peer nodes are configured with SSL, using self signed certificates. This communication i can capture with wireshark, from my Windows laptop, by SSH to a Peer node, run a tcpdump and pipe it back to Wireshark on my laptop. I can see Hello messages, key exchange, everything. What i would like to do, is to decrypt the traffic and show the data in clear text in Wireshark. Im using Diffie Hellman for the key exchange, so the RSA private key wont work.

I have read a lot of guides all of them showing how to do with browser traffic, all telling to log the 'pre master key' to a file and then use that in Wireshark. But i have not found a way to do it, when its another aplication.

I found this on Stack exchange, but i admit, its a bit out of my league of understanding.
https://security.stackexchange.com/questions/80158/extract-pre-master-keys-from-an-openssl-applicati...

I tried the LD_PRELOAD. Got the code from here: https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c
Could not compile it first time, but when i included the support for old versions, it worked. But im not sure how to use it. Ive tried starting Splunk like this

SSLKEYLOGFILE=/tmp/premaster.txt LD_PRELOAD=./libsslkeylog.so /opt/splunk/bin/splunk start

But with no luck. Anyone tried this before or maybe someone has a better understanding about this than me...or know another solution to log the 'pre master key'.
Thanks in advance.

Michael

0 Karma

Engager

I do not have the answer, but am stuck at what appears to be the same place Michael is.

I start SPLUNK with the SSLKEYLOGFILE variable and the LD_PRELOAD. With that installed, SPLUNK should be writing to the SSLKEYLOGFILE, but it is not.

If i use that same SPLUNK Instance, as a client (e.g. using curl), the SSLKEYLOGFILE does get written to.

I get no errors, warnings or even info, in splunkd.log.

Not sure where to go or what to try next?

0 Karma