Jump to content

SNGREP with TLS key

Scott1234

By Scott1234
in General Setup

 Share

Recommended Posts

Scott1234 Collaborator

Scott1234

Posted
Posted

Has anyone got SNGREP to work with TLS key support? on the pbx. 

GitHub - irontec/sngrep: Ncurses SIP Messages flow viewer

Screenshots · irontec/sngrep Wiki · GitHub

It's my fav goto sip message explorer but since I have been on a mission to go full TLS and SRTP I am now in the dark :D but want to enjoy this tool again when needed for support. 

EDIT > I know I can do pcaps from the pbx and get the decode, but sometimes this tool is better to use when listening globally, not just specific to the one call. 

 

Link to comment
Share on other sites
Vodia PBX Grand Master

Vodia PBX

Posted
Posted

The PBX has the option --key-log-address adr:port to tell sniffing tools what the TLS master key is. It then sends a UDP packet with the following content: 

{"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","sessionid":"0123456789abcdef","mastersecret":"0123456789abcdef"}

Is that something that sngrep could use as well?

Link to comment
Share on other sites
Scott1234 Collaborator

Scott1234

Posted
  • Author
Posted
10 hours ago, Vodia PBX said:

The PBX has the option --key-log-address adr:port to tell sniffing tools what the TLS master key is. It then sends a UDP packet with the following content: 

{"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","sessionid":"0123456789abcdef","mastersecret":"0123456789abcdef"}

Is that something that sngrep could use as well?

Not that I can see, you can compile it with openssl or gnutls and run it with a, -k flag to define rsa private keyfile, but using the keyfile setting on the pbx did not help.

I just found this in their, FAQ page. says,

I can't see TLS flows even using the private key
sngrep only support a couple insecure cipthers (TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA and TLS_RSA_WITH_AES_256_GCM_SHA384), and needs to capture the initial TLS negotiation in order to decrypt the conversation. If you're using TLS v1.2 or greater with a DH or ECDH cipher, decrypting is impossible as these ciphers implement Perfect Forward Secrecy.

So maybe no go. 

Link to comment
Share on other sites
Vodia PBX Grand Master

Vodia PBX

Posted
Posted

AFAIK the problem with the key file is that it can contain only one connection.

IMHO sniffing SIP packets is increasingly useless because just about anything is getting encrypted these days (rightfully). It would make sense if the sngrep would be able to receive the master key somehow. I am pretty sure that VoIPmonitor (for which we have added the key logging) is also using OpenSSL or GnuTLS, so there must be a way to "leak" the key into the library. 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing


×
×
  • Create New...