Difference between revisions of "Tls"
| Line 1: | Line 1: | ||
| + | = Decryption methods = | ||
| + | |||
| + | == linux == | ||
| + | |||
| + | VoIPmonitor version >= 27 can decrypt any application by using ssl key logger which logs keys directly in the openssl library (for openssl >= 1.1.0). Ssl key logger is small sslkeylog.so library which uses LD_PRELOAD to intercept session keys. Those keys are then sent over UDP to voipmonitor sniffer. The behaviour of applications (like asterisk / kamailio / freeswitch and all software using openssl) is not affected or changed - it only logs keys. | ||
| + | |||
| + | |||
| + | This library is located in voipmonitor source tree: tools/ssl_keylogger/sslkeylog/sslkeylog.c | ||
| + | |||
| + | === Installation === | ||
| + | |||
| + | ==== Compiling sslkeylogger ==== | ||
| + | |||
| + | cd /usr/local/src | ||
| + | git clone https://github.com/voipmonitor/sniffer.git voipmonitor-git | ||
| + | cd voipmonitor-git/tools/ssl_keylogger/ | ||
| + | make | ||
| + | |||
| + | ==== running keylogger ===== | ||
| + | |||
| + | ===== Testing keylogger ===== | ||
| + | |||
| + | You should always test if the library / keylogger is working by this command: | ||
| + | |||
| + | env SSLKEYLOG_UDP='127.0.0.1:1234' LD_PRELOAD="/usr/local/src/sniffer-git/tools/ssl_keylogger/sslkeylog.so" openssl | ||
| + | The output should show similar output: | ||
| + | * SSL KEYLOG : OK detect pointer to function SSL_new : 0x7fe9d6e96540 | ||
| + | * SSL KEYLOG : OK detect pointer to function SSL_CTX_set_keylog_callback : 0x7fe9d6e97870 | ||
| + | * SSL KEYLOG : log to : 127.0.0.1:1234 | ||
| + | OpenSSL> root@voipmonitor | ||
| + | |||
| + | If you see SSL KEYLOG messages - the keylog is working | ||
| + | |||
| + | ===== Asterisk ===== | ||
| + | |||
| + | Asterisk binary is directly linking with libssl so we just need to preload our sslkeylog | ||
| + | |||
| + | env SSLKEYLOG_UDP='127.0.0.1:1234' LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so" asterisk -vvvgcd | ||
| + | |||
| + | |||
| + | you need to find your starting script and modify it | ||
| + | |||
| + | |||
| + | SSLKEYLOG_UDP parameter tells to what IP and port keys should be sent (this is voipmonitor IP and port) - in this example it runs on the same host as asterisk (127.0.0.1:1234) | ||
| + | |||
| + | |||
| + | ==== Kamailio ==== | ||
| + | |||
| + | |||
| + | Kamailio uses tls.so module (which is linked to openssl.so) thus the LD_PRELOAD needs to load openssl.so first | ||
| + | |||
| + | |||
| + | env SSLKEYLOG_UDP='127.0.0.1:1234' LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so /usr/local/lib64/libssl.so.1.1" kamailio | ||
| + | |||
| + | |||
| + | In this example, our system uses compiled openssl from sources, thus the path to the libssl is /usr/local/lib64/libssl.so.1.1 (on debian stock library is located /usr/src/openssl-1.1.1g/libssl.so) | ||
| + | |||
| + | |||
| + | You need to modify your kamailio start scripts | ||
| + | |||
| + | |||
| + | on our debian we modified this line in /etc/init.d/kamailio | ||
| + | |||
| + | |||
| + | env SSLKEYLOG_UDP='127.0.0.1:1234' LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so /usr/local/lib64/libssl.so.1.1" start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- $OPTIONS || log_failure_msg " already running" | ||
| + | |||
| + | |||
| + | ==== configuring voipmonitor ==== | ||
| + | |||
| + | |||
| + | Lets assume that SIP proxy is running on 192.168.0.1:5061 | ||
| + | |||
| + | |||
| + | edit : /etc/voipmonitor.conf | ||
| + | |||
| + | |||
| + | enabling ssl_sessionkey UDP receiver | ||
| + | |||
| + | |||
| + | ssl_sessionkey_udp = yes | ||
| + | ssl_sessionkey_udp_port = 1234 | ||
| + | ssl_sessionkey_udp_ip = 192.168.178.0/24 (this is not mandatory) | ||
| + | ssl_sessionkey_udp_maxwait_ms = 10000 | ||
| + | |||
| + | |||
| + | |||
| + | enabling ssl decryption | ||
| + | |||
| + | |||
| + | ssl = yes | ||
| + | ssl_ipport = 192.168.0.1:5061 | ||
| + | |||
| + | |||
| + | (ssl_ipport can be specified multiple times in case voipmonitor should decrypt multiple SIP proxies) | ||
| + | |||
| + | |||
| + | Run the voipmonitor in usual way. | ||
| + | |||
| + | |||
| + | == generic == | ||
| + | |||
Since version 11 VoIPmonitor sniffer is able to decode and decrypt TLS SIP protocol by providing private key. | Since version 11 VoIPmonitor sniffer is able to decode and decrypt TLS SIP protocol by providing private key. | ||
Revision as of 13:03, 21 September 2020
Decryption methods
linux
VoIPmonitor version >= 27 can decrypt any application by using ssl key logger which logs keys directly in the openssl library (for openssl >= 1.1.0). Ssl key logger is small sslkeylog.so library which uses LD_PRELOAD to intercept session keys. Those keys are then sent over UDP to voipmonitor sniffer. The behaviour of applications (like asterisk / kamailio / freeswitch and all software using openssl) is not affected or changed - it only logs keys.
This library is located in voipmonitor source tree: tools/ssl_keylogger/sslkeylog/sslkeylog.c
Installation
Compiling sslkeylogger
cd /usr/local/src git clone https://github.com/voipmonitor/sniffer.git voipmonitor-git cd voipmonitor-git/tools/ssl_keylogger/ make
running keylogger =
Testing keylogger
You should always test if the library / keylogger is working by this command:
env SSLKEYLOG_UDP='127.0.0.1:1234' LD_PRELOAD="/usr/local/src/sniffer-git/tools/ssl_keylogger/sslkeylog.so" openssl
The output should show similar output:
* SSL KEYLOG : OK detect pointer to function SSL_new : 0x7fe9d6e96540 * SSL KEYLOG : OK detect pointer to function SSL_CTX_set_keylog_callback : 0x7fe9d6e97870 * SSL KEYLOG : log to : 127.0.0.1:1234 OpenSSL> root@voipmonitor
If you see SSL KEYLOG messages - the keylog is working
Asterisk
Asterisk binary is directly linking with libssl so we just need to preload our sslkeylog
env SSLKEYLOG_UDP='127.0.0.1:1234' LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so" asterisk -vvvgcd
you need to find your starting script and modify it
SSLKEYLOG_UDP parameter tells to what IP and port keys should be sent (this is voipmonitor IP and port) - in this example it runs on the same host as asterisk (127.0.0.1:1234)
Kamailio
Kamailio uses tls.so module (which is linked to openssl.so) thus the LD_PRELOAD needs to load openssl.so first
env SSLKEYLOG_UDP='127.0.0.1:1234' LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so /usr/local/lib64/libssl.so.1.1" kamailio
In this example, our system uses compiled openssl from sources, thus the path to the libssl is /usr/local/lib64/libssl.so.1.1 (on debian stock library is located /usr/src/openssl-1.1.1g/libssl.so)
You need to modify your kamailio start scripts
on our debian we modified this line in /etc/init.d/kamailio
env SSLKEYLOG_UDP='127.0.0.1:1234' LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so /usr/local/lib64/libssl.so.1.1" start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- $OPTIONS || log_failure_msg " already running"
configuring voipmonitor
Lets assume that SIP proxy is running on 192.168.0.1:5061
edit : /etc/voipmonitor.conf
enabling ssl_sessionkey UDP receiver
ssl_sessionkey_udp = yes ssl_sessionkey_udp_port = 1234 ssl_sessionkey_udp_ip = 192.168.178.0/24 (this is not mandatory) ssl_sessionkey_udp_maxwait_ms = 10000
enabling ssl decryption
ssl = yes ssl_ipport = 192.168.0.1:5061
(ssl_ipport can be specified multiple times in case voipmonitor should decrypt multiple SIP proxies)
Run the voipmonitor in usual way.
generic
Since version 11 VoIPmonitor sniffer is able to decode and decrypt TLS SIP protocol by providing private key.
Please note that the sniffer only supports TLS layer and SSLv3 (not SSLv1 or SSLv2) layer which you can verify in CLIENT HELLO packet in wireshark where you can see SSL or TLS in header.
Decrypted SIP packets are converted to virtual UDP packets with the same ethernet headers replacing the IP TCP layer with UDP so you will not see the TCP stream in stored pcap files.
TLS feature is still in beta - if you will have any problems which are reproducible we need to see pcap file with the TLS packets (no need for RTP) and of course the private key.
Please note that TLS where cipher suite is set to Diffie–Hellman key exchange is not possible to decode in any way. It is possible only if your software (PBX/SBC) is storing key for each TLS session but still this feature is not supported. The only solution is to change the cipher suite to use anything else than diffie hellman cipher suites.
VoIPmonitor is able to decrypt SRTP.
Configuration
add to the voipmonitor.conf
ssl = yes ssl_ipport = 10.0.0.1 : 5061 /etc/private.key
where 10.0.0.1 is server with TLS port 5061. Private key is in /etc/private.key and it is in PEM format (starting with -----BEGIN RSA PRIVATE KEY-----)