NotionCommotion Posted June 12, 2019 Share Posted June 12, 2019 If a client connects to a ReactPHP TLS socket server, is it possible to obtain the symmetric key from within the PHP code? Hoping it will allow me to decrypt analysis traffic between two using Wireshark. Quote Link to comment Share on other sites More sharing options...
requinix Posted June 12, 2019 Share Posted June 12, 2019 With PHP? No. SSL stuff is all handled by OpenSSL (or whatever you have installed) which tends not to expose information like that. You could allow unsecure connections when a development mode is active, and/or when the connection is local. To troubleshoot locally. Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted June 12, 2019 Author Share Posted June 12, 2019 1 hour ago, requinix said: With PHP? No. SSL stuff is all handled by OpenSSL (or whatever you have installed) which tends not to expose information like that. Was afraid of that. Evidently, Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file, and Wireshark is configured to use this file and then can decrypted TLS traffic. See https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/. Well, I am not accessing the connection using FF or Chrome so that doesn't help me, but maybe there is a different way to do so with some Linux command? Quote Link to comment Share on other sites More sharing options...
kicken Posted June 12, 2019 Share Posted June 12, 2019 The easiest solution if you need to view the traffic would be to either disable encryption or pass the traffic through a proxy that can log the traffic then pass it on. Alternatively, modify your code to log traffic it sends/receives across the socket. I usually include some sort of raw traffic logging ability in things I develop for easy debugging. Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted June 13, 2019 Author Share Posted June 13, 2019 15 hours ago, kicken said: The easiest solution ... or pass the traffic through a proxy that can log the traffic then pass it on. Can you elaborate? 15 hours ago, kicken said: Alternatively, modify your code to log traffic it sends/receives across the socket. I usually include some sort of raw traffic logging ability in things I develop for easy debugging. I like it! I take it you log the entire message with either deliminator or length prefix, right? Have you ever used CBOR (which I am doing) or similar or compressed JSON? With straight JSON, it should be easy enough to determine message breaks based on visually looking for known words, but not so if scrambled. I probably need to log both the pre and post CBOR raw message, and maybe take other steps. Any lessons learned would be appreciated. Quote Link to comment Share on other sites More sharing options...
kicken Posted June 14, 2019 Share Posted June 14, 2019 17 hours ago, NotionCommotion said: I take it you log the entire message with either deliminator or length prefix, right? I'd log whatever I see across the socket. For example: public function read(){ $data = fread($this->socket, 8192); $this->logger->debug('Socket data read: {data}', ['data' => $data]); return $data; } public function write($data){ fwrite($this->socket, $data); $this->logger->debug('Socket data written: {data}', ['data' =>$data]); } The idea is just to have a record in case it is needed to debug a problem. If the data being read/written was binary rather than plain text, then I'd either base64_encode or bin2hex it first. Higher levels of the app would have additional logging. For example whatever code parses the raw data into some useful data structure may then log the result of that parsing. 18 hours ago, NotionCommotion said: Have you ever used CBOR (which I am doing) or similar or compressed JSON? I have not. Like I mentioned above though, for non-string data you can always encode it before printing. bin2hex is nice for as you can easily inspect and compare individual bytes of data. it doubles the size of whatever data you're logging though. base64_encode uses less space and can compare whole values easily, but requires decoding to do detailed comparisons. Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted June 16, 2019 Author Share Posted June 16, 2019 On 6/14/2019 at 1:06 AM, kicken said: I'd log whatever I see across the socket. For example: public function read(){ $data = fread($this->socket, 8192); $this->logger->debug('Socket data read: {data}', ['data' => $data]); return $data; } public function write($data){ fwrite($this->socket, $data); $this->logger->debug('Socket data written: {data}', ['data' =>$data]); } Is your logger just a simple homespun write to a file or something more? When monitoring the server, how do you deal with keeping each client separate? Thanks PS. Sorry for getting off topic. Quote Link to comment Share on other sites More sharing options...
kicken Posted June 17, 2019 Share Posted June 17, 2019 On 6/16/2019 at 9:17 AM, NotionCommotion said: Is your logger just a simple homespun write to a file or something more? Usually monolog. On 6/16/2019 at 9:17 AM, NotionCommotion said: When monitoring the server, how do you deal with keeping each client separate? Most of the time I'm just dealing with client side stuff, talking to a separate server. However, the simple solution would be to just assign a unique identifier to each client and include that with each client's log messages. I've done something like that with web applications before. Each request generates a unique id and that ID is included in all the log messages. That way when reviewing a log later I can easily find related log messages. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.