Product 2: Wireshark v1.6.4
There is nobody posted anything about capturing TLS encrypted network packet for Genesys CTI application, so I decided to write one.
Overall activities are as below:
1. Export Windows SSL certificate as pfx file
2. Convert SSL certificate pfx file to pem
3. Capture network packet and restart application using Wireshark
4. Configure SSL pem certificate file
Step #3 is the most crucial step which capture the network packets. The rest of the steps can be done after the pcap file is saved. However, I am following above logical steps
Export SSL Certificate
Genesys uses Windows certificate feature, which is the same certificate used by IIS web server. There are many references in Windows' SSL certificate export, so I will only show the major screen shots
Launch MMC and add snap-in Certificates. Alternatively, export it from IIS manager
Navigate to tree node Trusted Root Certification Authorities - Certificates. Look for the certificate name which match the T-Server hostname configured in Genesys Configuration Manager (CME). If there are several T-Server used, then export the SSL certificate from each of the server, and upload into a common directory. This will simplify the file gathering later
Choose output format as PKCS #12 (pfx). Ignore all the checkbox as Wireshark does not need any of those
Assume I have 2 T-Server, and saved them as tserver1.pfx, and tserver2.pfx.
Assume the pfx saved in C:\Wireshark\ directory
Convert pfx to pem Certificate
This step is not require for Windows, as Wireshark can accept pfx file. For other non-pfx certificate format, follow this section
Download OpenSSL for Windows, or Linux. This is a common utility comes pre-install for many Linux distribution. This free utility is provided by Shining Light Productions. Either 32-bit or 64-bit is fine, so for 64-bit Windows, either version will work.
http://www.slproweb.com/download/Win32OpenSSL-1_0_0e.exe (32-bit)
Program openssl.exe is the utility that needed to convert to pem certificate file.
Go to DOS prompt and execute following commands
cd C:\Wireshark
\Utilities\OpenSSL\bin\openssl pkcs12 -nodes -in tserver1.pfx -out tserver1.pem -nocerts -nodes
\Utilities\OpenSSL\bin\openssl pkcs12 -nodes -in tserver2.pfx -out tserver2.pem -nocerts -nodes
Bag Attributes
Microsoft Local Key set:
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
friendlyName: c6bad00c9d00bfd55dc217383c14f1c5_d9350150-31e7-4e1f-889d-029377e717f2
Key Attributes
X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC1PfnMaKjLpTyTZXW90FlLMYAeRsciKVpVjtx973gT6W552Tot
....cut...
FCR4IYW4+ye/IfbV4bYgDDyW4Wb1bk9bNnF6/U7pXJ3/
-----END RSA PRIVATE KEY-----
Capturing in Wireshark
In order to minimize the pcap network capture file, configure to capture only traffic sending to port 3000, which is the T-Server port for both T-Servers (or more)
Optionally, configured to save the captured data to file and auto rename file hourly. Following shown save to C:\Wireshark
Optionally, configured to stop capturing after 5 hours. This is handy if want to automatically stop network capturing, and eliminate filling up the disk space
Once the capturing start, restart any Genesys T-Server client, such as Siebel CRM, soft phone, OCM, CCPulse, StatServer, SAP soft phone, etc. This is because SSL certificate handshake mostly begin at the start of the application, or login. It contains crucial SSL encryption protocol which needed to decrypt the communication. If this step missed, then it is impossible to decode the network packet
During the capture, pay attention to specific application that needs to trace. For example, I select a CRM CTI application which communicate with T-Server on port 64406 (client) and 3000 (T-Server), which contains [PSH, ACK]. Wireshark will show an alias name stm-pproc by default but this is meaningless for Genesys T-Server troubleshooting
Right click on the packet, and choose decode as SSL
Click on Transport tab, and change TCP port to both. If the CTI application constantly change the port number, then only choose a packet sent from T-Server to client, and choose source port, and another packet sent from client to T-Server and choose destination port. In either case, choose protocol as SSL
The packet will change to TLSv1 protocol. In this case, it is a handshark fail, until we configured SSL pem certificate below. The SSL configuration can be done after the pcap file is saved. This is only for display purpose, mostly for real time analysis
Configure SSL pem Certificate
This step is required in order for Wireshark to show the encrypted TLS packet. As long as Wireshark capture the certificate handshake packets, it is able to decrypt the content after configure this.
Packet captured prior of SSL certificate configuration will still be able to be decrypted. This is a wrong understanding for many people (who do not understand SSL and TLS security).
Press Ctrl-Shift-P or from View - Preferences pull down menu to open the preference screen
Expand protocol on left panel, and scroll down to SSL
Click on RSA keys list Edit button, and fill in the pem certificate file for each T-Server. Click on Add button multiple time for each T-Server. Following screen shown T-Server 192.168.1.11 and .12 on port 3000 are added. Both pointing to different pem files
Once this step is done, previously SSL packet is readable
In above packets, we see following
- Contain "Server Hello"
- "Client Key Exchange" contain success message "Finished." It changed from "Encrypted Handshake Message" previously
- "Change Cipher Spec" contains success message "Finished." It changed from "Encrypted Handshake Message" previously
- Last packet changed from "Application Data" to "Continuation or non-HTTP traffic" with protocol as HTTP
Click on the HTTP with 141 bytes length show the decrypted content
It is found that pcap captured by Wireshark 1.6.4 is not able to decrypt by Wireshark 1.6.2. Not sure this is a known bug in Wireshark, but it does look like a bug to me.
Post your comment if you need help or clarification
Please use following PayPal donate if my post helped
No comments:
Post a Comment