Wireshark aficionados will likely scoff at me for my newb-ness in being tripped up by this but I thought I'd post it anyway in case it was relevant/useful to others - ridicule be damned!
Quick Bit: To capture an SSL/TLS negotiation in Wireshark if the port being used is NOT 443, in Wireshark go to "Edit > Preferences > Protocols > HTTP" and add the port number in the SSL/TSL Ports box.
Scenario:
Trying to connect to a Juniper Secure Services Gateway admin interface using a modern browser: IE (9), Firefox (4), Chrome. None of the browsers would allow the HTTPS connection because none of them could match the ciphers proposed by the gateway.
Resolution:
Obviously I need to "finesse" the internals of one of my browsers so that a compatible cipher set can be negotiated. I picked FF4 because I have some experience messing around with the "about:config" settings. Now, how to figure out what cipher propositions are coming from the SSG? Aha! Wireshark to the rescue.
Simple, right? Apparently not. I ran a couple of captures and saw zero SSL/TLS packets in the results. Wha...? Found a couple of articles on the net that suggested you need to set up your capture BEFORE even opening the browser (NOTE: I think this might be overkill just to ensure none of the initial SSL/TLS negotiation has happened before the capture starts). So, that's what I did. Still nothing. It should be noted here that the HTTPS URL also included a ":port-number" at the end, and the port number was not 443.
I did a bit of digging through the individual protocol settings in the "Edit > Preferences > Protocols" configuration of Wireshark, looking for SSL, TLS, IP - even looked for IPsec/IKE/ISAKMP even though they're frameworks rather than protocols...Nothing helped.
Eventually I found what I needed under "Edit > Preferences > Protocols > HTTP." Here you have the option to nominate specific ports that should be related to SSL/TLS. Once I'd added the non-standard port and applied the config my existing capture magically exposed the SSL/TLS session info that I so desperately needed.
Viewing the captured SSL/TLS negotiation allowed me to enable a cipher in FF4 that was compatible with one of the proposals coming from the SSG and therefore...[Trumpets]...Log in!
I think this also highlights Firefox's "about:config" configuration page as an excellent troubleshooting resource if you're confident you know what you're doing. If you're not confident, don't touch it!
If you know of a similar "under the hood" configuration method for any of the other browsers I'd be happy to know about it - leave some details in the comments.
No comments:
Post a Comment