Thursday, June 2, 2011

Wireshark QuickTip: Capturing SSL on a Non-Standard Port (ie. not port 443)

Wireshark aficionados will likely scoff at me for my newb-ness in being tripped up by this but I thought I'd post it anyway in case it was relevant/useful to others - ridicule be damned!

Quick Bit:  To capture an SSL/TLS negotiation in Wireshark if the port being used is NOT 443, in Wireshark go to "Edit > Preferences > Protocols > HTTP" and add the port number in the SSL/TSL Ports box.

Trying to connect to a Juniper Secure Services Gateway admin interface using a modern browser: IE (9), Firefox (4), Chrome. None of the browsers would allow the HTTPS connection because none of them could match the ciphers proposed by the gateway.

Obviously I need to "finesse" the internals of one of my browsers so that a compatible cipher set can be negotiated.  I picked FF4 because I have some experience messing around with the "about:config" settings.  Now, how to figure out what cipher propositions are coming from the SSG?  Aha!  Wireshark to the rescue.

Simple, right?  Apparently not.  I ran a couple of captures and saw zero SSL/TLS packets in the results. Wha...?  Found a couple of articles on the net that suggested you need to set up your capture BEFORE even opening the browser (NOTE:  I think this might be overkill just to ensure none of the initial SSL/TLS negotiation has happened before the capture starts).  So, that's what I did.  Still nothing.  It should be noted here that the HTTPS URL also included a ":port-number" at the end, and the port number was not 443.

I did a bit of digging through the individual protocol settings in the "Edit > Preferences > Protocols" configuration of Wireshark, looking for SSL, TLS, IP - even looked for IPsec/IKE/ISAKMP even though they're frameworks rather than protocols...Nothing helped.

Eventually I found what I needed under "Edit > Preferences > Protocols > HTTP."  Here you have the option to nominate specific ports that should be related to SSL/TLS.  Once I'd added the non-standard port and applied the config my existing capture magically exposed the SSL/TLS session info that I so desperately needed.

Viewing the captured SSL/TLS negotiation allowed me to enable a cipher in FF4 that was compatible with one of the proposals coming from the SSG and therefore...[Trumpets]...Log in!

I think this also highlights Firefox's "about:config" configuration page as an excellent troubleshooting resource if you're confident you know what you're doing.  If you're not confident, don't touch it!

If you know of a similar "under the hood" configuration method for any of the other browsers I'd be happy to know about it - leave some details in the comments.

No comments:

Post a Comment