On Thu, 13 Oct 2016 10:35:14 -0500
Bryan Holloway <br...@shout.net> wrote:
> > [...]
> >> Is there a way to see the IMAP commands coming from the client?
> >> I've tried looking at PCAPs, but of course they're encrypted so I
> >> can't see the actual dialog going on between the server and
> >> client. I didn't see an obvious way to do this in the docs.
> > If you have access to the SSL/TLS key (IOW, the private part of the
> > cert) the server uses to secure IMAP connections you can dump the
> > IMAP traffic using the `ssldump` utility (which builds on
> > `tcpdump`).
> I do, but the client is using a DH key exchange so I only have the
> server-side private key.
> Tried that using Wireshark's decoder features and ran into this
> problem. I'm assuming I'd run into the same using ssldump, but I'll
> give it a shot!
I think DH is not the culprit: just to be able to actually decode SSL
traffic, you must have the server private key when you're decoding the
SSL handshake phase -- to be able to recover the session keys, which
you then use to decode the actual tunneled data.