Search This Blog

2011-12-05

Wireshark Capture Genesys T-Server SSL/TLS Network Packet

Product 1: Genesys CTI Suite (any version) for Windows
Product 2: Wireshark v1.6.4

There is nobody posted anything about capturing TLS encrypted network packet for Genesys CTI application, so I decided to write one.

This article contains configuration of Wireshark to capture SSL encrypted network packet communication with T-Server running on port 3000.

Overall activities are as below:
1. Export Windows SSL certificate as pfx file
2. Convert SSL certificate pfx file to pem
3. Capture network packet and restart application using Wireshark
4. Configure SSL pem certificate file

Step #3 is the most crucial step which capture the network packets. The rest of the steps can be done after the pcap file is saved. However, I am following above logical steps

Export SSL Certificate
Genesys uses Windows certificate feature, which is the same certificate used by IIS web  server. There are many references in Windows' SSL certificate export, so I will only show the major screen shots

Launch MMC and add snap-in Certificates. Alternatively, export it from IIS manager

Navigate to tree node Trusted Root Certification Authorities - Certificates. Look for the certificate name which match the T-Server hostname configured in Genesys Configuration Manager (CME). If there are several T-Server used, then export the SSL certificate from each of the server, and upload into a common directory. This will simplify the file gathering later

Choose output format as PKCS #12 (pfx). Ignore all the checkbox as Wireshark does not need any of those

Assume I have 2 T-Server, and saved them as tserver1.pfx, and tserver2.pfx.

Assume the pfx saved in C:\Wireshark\ directory

Convert pfx to pem Certificate
This step is not require for Windows, as Wireshark can accept pfx file. For other non-pfx certificate format, follow this section

Download OpenSSL for Windows, or Linux. This is a common utility comes pre-install for many Linux distribution. This free utility is provided by Shining Light Productions. Either 32-bit or 64-bit is fine, so for 64-bit Windows, either version will work.

http://www.slproweb.com/download/Win32OpenSSL-1_0_0e.exe (32-bit)

Program openssl.exe is the utility that needed to convert to pem certificate file.

Go to DOS prompt and execute following commands
cd C:\Wireshark

\Utilities\OpenSSL\bin\openssl pkcs12 -nodes -in tserver1.pfx -out tserver1.pem -nocerts -nodes
\Utilities\OpenSSL\bin\openssl pkcs12 -nodes -in tserver2.pfx -out tserver2.pem -nocerts -nodes

The content of the pem file will be similar to below


Bag Attributes
    Microsoft Local Key set:
    localKeyID: 01 00 00 00 
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
    friendlyName: c6bad00c9d00bfd55dc217383c14f1c5_d9350150-31e7-4e1f-889d-029377e717f2
Key Attributes
    X509v3 Key Usage: 10 
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC1PfnMaKjLpTyTZXW90FlLMYAeRsciKVpVjtx973gT6W552Tot
....cut...

FCR4IYW4+ye/IfbV4bYgDDyW4Wb1bk9bNnF6/U7pXJ3/
-----END RSA PRIVATE KEY-----

Capturing in Wireshark
In order to minimize the pcap network capture file, configure to capture only traffic sending to port 3000, which is the T-Server port for both T-Servers (or more)

Optionally, configured to save the captured data to file and auto rename file hourly. Following shown save to C:\Wireshark
Optionally, configured to stop capturing after 5 hours. This is handy if want to automatically stop network capturing, and eliminate filling up the disk space

Once the capturing start, restart any Genesys T-Server client, such as Siebel CRM, soft phone, OCM, CCPulse, StatServer, SAP soft phone, etc. This is because SSL certificate handshake mostly begin at the start of the application, or login. It contains crucial SSL encryption protocol which needed to decrypt the communication. If this step missed, then it is impossible to decode the network packet

During the capture, pay attention to specific application that needs to trace. For example, I select a CRM CTI application which communicate with T-Server on port 64406 (client) and 3000 (T-Server), which contains [PSH, ACK]. Wireshark will show an alias name stm-pproc by default but this is meaningless for Genesys T-Server troubleshooting

Right click on the packet, and choose decode as SSL

Click on Transport tab, and change TCP port to both. If the CTI application constantly change the port number, then only choose a packet sent from T-Server to client, and choose source port, and another packet sent from client to T-Server and choose destination port. In either case, choose protocol as SSL

The packet will change to TLSv1 protocol. In this case, it is a handshark fail, until we configured SSL pem certificate below. The SSL configuration can be done after the pcap file is saved. This is only for display purpose, mostly for real time analysis

Configure SSL pem Certificate
This step is required in order for Wireshark to show the encrypted TLS packet. As long as Wireshark capture the certificate handshake packets, it is able to decrypt the content after configure this.

Packet captured prior of SSL certificate configuration will still be able to be decrypted. This is a wrong understanding for many people (who do not understand SSL and TLS security).

Press Ctrl-Shift-P or from View - Preferences pull down menu to open the preference screen

Expand protocol on left panel, and scroll down to SSL

Click on RSA keys list Edit button, and fill in the pem certificate file for each T-Server. Click on Add button multiple time for each T-Server. Following screen shown T-Server 192.168.1.11 and .12 on port 3000 are added. Both pointing to different pem files

Once this step is done, previously SSL packet is readable

In above packets, we see following

  1. Contain "Server Hello"
  2. "Client Key Exchange" contain success message "Finished." It changed from "Encrypted Handshake Message" previously
  3. "Change Cipher Spec" contains success message "Finished." It changed from "Encrypted Handshake Message" previously
  4. Last packet changed from "Application Data" to "Continuation or non-HTTP traffic" with protocol as HTTP
Click on the HTTP with 141 bytes length show the decrypted content

It is found that pcap captured by Wireshark 1.6.4 is not able to decrypt by Wireshark 1.6.2. Not sure this is a known bug in Wireshark, but it does look like a bug to me.

Post your comment if you need help or clarification


Please use following PayPal donate if my post helped

2 comments:

Todaydownload.com said...

Nice blog having nice information. some times we ignore this sort of things & also suffer a lot as well.
Get Wireshark

Blogger said...

Bluehost is ultimately one of the best web-hosting provider with plans for all of your hosting requirments.

Blog Archive