Hi all,

I am challenged with the analysis of an SSL VPN Gateway.

Users ultimately access an HTTPS server in the inside network. This session is encapsulated in another SSL layer on the outside.

As I have both SSL keys (VPN gateway and HTTPS server) traffic can be decrypted. (Thanks, Wireshark, I love this feature.)

Decrypted traffic on the outside of the gateway matches the encrypted traffic from the inside.

I want to compare HTTP response times from both sides of the gateway, thus deducting the latency.

Is there a way to peel off the inner layer of SSL? Or could I save decrypted contents as decrypted pcap file?

Any help is appreciated.

asked 09 Dec '10, 00:57

packethunter's gravatar image

packethunter
1.3k61134
accept rate: 5%


It is not possible to strip a layer or save decrypted traffic as pcap. The only option would be to do decryption two times for the outside traffic. I'm not sure though if the current implementation would support that or gets itself mixed up. What is the carried protocol within the SSL session to the SSL-VPN gateway?

If IP is carried, you could try the following key list when analyzing the outside traffic:

<ip-vpn-gateway>,<port>,ip,<sslvpn-key>;<ip-https-server>,443,http,<https-key>

If not, could you give a schematic of the encapsulation that is done by the SSL-VPN?

link

answered 09 Dec '10, 15:39

SYN-bit's gravatar image

SYN-bit ♦♦
15.0k848217
accept rate: 19%

The external traffic carries HTTPS over HTTPS. The SSL gateway strips the outer layer and is a transparent proxy for the internal HTTPS session.

I tried to force a decode and entered both keys. Alas, it didn't work.

(10 Dec '10, 04:28) packethunter

A long shot, but if the SSL-VPN gateway acts as a HTTP proxy (which can be seen by the "CONNECT <https-server>" header at the beginning of the encapsulated traffic (after doing one layer of decryption), then it might be possible to decrypt both layers with the following keys_list:

<ip-vpn-gateway>,<port>,http,<sslvpn-key>;<ip-vpn-gateway>,0,http,<https-key>

This will treat the decrypted traffic as http, see the CONNECT, switches over to SSL for a second time and by the wildcard port find the https-key.

Then again... it's a long shot :-)

(10 Dec '10, 08:30) SYN-bit ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×163
×2

Asked: 09 Dec '10, 00:57

Seen: 3,240 times

Last updated: 10 Dec '10, 08:30

powered by OSQA