Ever wonder if any of your users connect to sites with bad SSL certificates? I ran into this issue recently when debugging some SSL issues, and ended up with this quick tshark and shell script trick to extract the necessary information from a packet capture. First, you may want to compare the host name your clients connect to, to the host name returned as part of the certificate. While the "Host" header is encrypted and not accessible, modern SSL libraries use Server Name Indication (SNI) as part of the SSL Client Hello to indicate to the server which site they are trying to connect to. The SNI option is sent in the clear to allow for name virtual hosting with SSL. To extract the SNI fields, I use:
The tshark command extracts all the SSL Client Hello messages (ssl.handshake.type==1) and then pulls out the destination IP, the destination port as well as the SNI field. I remove the first tab and replace it with a ":" to receive output like:
Your sed command will look a bit different if you are using OS X. Next, we need to extract the host names advertised by the certificate that the server returns. This is a bit tricky as a certificate may either use a distinguished name (DN) or a subject alternative name if more then one hostname is included in the certificate.
Just like before, we now filter for certificate messages (type 11) and extract the source ip and the destination port, so we can match up connections with what we extracted above. The output should look like:
Note how it is quite common to include a large list of hostnames. Next, we need to link the two files. The "join" command is pretty useful here:
This will join the two files, pretty much how a SQL join would combine two tables, using the first column in each file as index. The output looks now like:
Making it reasonably easy to compare the requested host name (last field) with the names provided by the certificate. (homework: a second script to analyze this output automatically, or a bro script to do all of this ;-) ) --- |
Johannes 4068 Posts ISC Handler Mar 12th 2015 |
Thread locked Subscribe |
Mar 12th 2015 5 years ago |
Bro IDS makes short work of ssl certs out of the box.
|
James 35 Posts |
Quote |
Mar 12th 2015 5 years ago |
What is the value in this? If the domain name doesn't match, that means that somebody wasn't even trying.
|
James 11 Posts |
Quote |
Mar 13th 2015 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!