The problem is that very often one doesn't have the server key - for example because the server is operated by another party. I also believe that the decoding would not work with one of the new modern cipher suites with forward secrecy even when you have the server key. If really needed, I don't think it would be that complicated to setup a proxy to terminate the SSL part of the connection before it reaches the client and dump the traffic unencrypted there - but that is not that secure anymore. Luckily, the frame tracing built in most clients is often enough to solve the problems.
Jakub On Fri, Aug 28, 2015 at 4:43 PM, Paolo Patierno <[email protected]> wrote: > With Wireshark you are able to decrypt SSL traffic if you have the server > private key in the PEM format (Base64 encoded). > > Following my current scenario ... > > I created a self signed CA certificate (just for testing) and a server > certificate signed with previous CA certificate. I have the sample AMQP > test broker available with AMQP .Net Lite library up and running that > accepts traffic on 5671 port using the above server certificate. With my > client (using AMQP .Ney Lite) I'm able to send encrypted messages to the > broker. > > Last step is to use my self generated (with openssl) server private key to > decrypt this traffic inside Wireshark. > > I'm blocked on this step because when I try to add my RSA private key in > the related list, Wireshark warnings me that a dissector for amqp protocol > isn't available and shows me all the available dissectors (spdy as TCP on > 443 and so on ...). > I asked a question on Wireshark forum to add amqp as available dissector > to decrypt traffic. It's very strange because Wireshark is already able to > decode clear AMQP traffic on port 5672. > > However, if you have private key you are able to decode SSL traffic using > Wireshark. This feature is available in Fiddler too (in that case only for > HTTPS traffic). > > Paolo > > Sent from my Windows Phone > ________________________________ > From: aconway<mailto:[email protected]> > Sent: 28/08/2015 14:31 > To: [email protected]<mailto:[email protected]> > Subject: Re: AW: AMQP blog > > On Fri, 2015-08-28 at 06:46 +0000, Aschenbrenner, Erik wrote: > > Hi Paolo, hi Chuck! > > > > > > Nice to see some other AMQP experts here on the user list. > > > > In your blogs you deal with Wireshark to trace and dissect AMPQ > > traffic. Did you ever try to dissect encrypted AMQP traffic with > > Wireshark? Because in real word AMQP traffic may be encrypted (at > > least in the one real world application I'm working on). In the > > Wireshark forum (https://ask.wireshark.org/questions/43961/amqp-10-tr > > affic-not-dissected-with-wireshark-1126) the creator of the AMQP > > dissector for Wireshark said that there is now way to decode > > encrypted traffic in Wireshark. Maybe this would be an idea for > > another blog post to find out if this is true ;-) > > > > This is not a problem specific to AMQP. The point of encryption is to > make it impossible to read the encrypted data, wireshark can't do > anything to get around that. > > It is a "layered" problem - for example the TCP headers of an encrypted > SSL connection are not themselves encrypted otherwise they couldn't be > routed. So wireshark can show you that there are TCP packets with SSL > encrypted contents, but can't show you the content. > > All the Qpid tools use SSL or SASL to create a fully encrypted "tunnel" > through which AMQP traffic passes. There's no way for wireshark to see > inside this tunnel. An application could encrypt just the message > contents and leave the AMQP protocol in the clear but I don't think > that is common practice. > > > > Regards, > > Erik > > > > -----Ursprüngliche Nachricht----- > > Von: Paolo Patierno [mailto:[email protected]] > > Gesendet: Freitag, 28. August 2015 08:27 > > An: [email protected] > > Betreff: RE: AMQP blog > > > > Hi Chuck, > > nice and very useful article ! > > Articles like these help people to understand better AMQP > > specification. > > > > I'd like to add my three part series of "AMQP type system explained > > by examples". I used AMQP .Net Lite too. > > > > https://paolopatierno.wordpress.com/2015/07/20/amqp-protocol-the-buil > > tin-type-system-by-examples/ > > > > https://paolopatierno.wordpress.com/2015/07/23/amqp-on-the-wire-messa > > ges-content-framing/ > > > > https://paolopatierno.wordpress.com/2015/07/24/amqp-message-accepted- > > encoding-on-the-wire/ > > > > Thanks, > > Paolo > > > > > > Sent from my Windows Phone > > ________________________________ > > From: Chuck Rolke<mailto:[email protected]> > > Sent: 27/08/2015 23:36 > > To: [email protected]<mailto:[email protected]> > > Subject: AMQP blog > > > > I've got a blog series going and I've just posted "AMQP Illustrated", > > an article that might be of interest here. > > Please see > > https://chugrolke.wordpress.com/2015/08/27/amqp-illustrated/ > > > > To date my series of blogs has been focused on the Apache ActiveMQ > > AMQP broker and Microsoft AMQP.Net Lite client, neither of which is > > under the Qpid umbrella. AMQP Illustrated is different. It dissects a > > simple HelloWorld example and explains the AMQP activity that happens > > over the wire. The illustration part is a web page with loads of AMQP > > smarts that helps you see what's going on at a high level and still > > easily drills down into the details. > > > > I have a github project https://github.com/ChugR/Adverb that contains > > the network-trace-to-web-page logic. Check it out and let me know if > > it is useful for you. > > > > -Chuck > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] For > > additional commands, e-mail: [email protected] > > > > -- > > icubic AG > > Mittelstraße 10 > > 39114 Magdeburg > > Germany > > > > Tel.: +49 391 59 80 9-0 > > Fax: +49 391 59 80 9-99 > > > > [email protected] > > <mailto:[email protected]>www.icubic.de > > <http://www.icubic.de/> > > Vorstandsvorsitzender/ Chairman of the Board: Dietmar Jakal > > Vorstand/ Board of Directors: Dietmar Jakal, Andreas Nold, Jürgen > > Pfister > > Aufsichtsratsvorsitzender/ Chairman of the Supervisory Board: Dr. > > Holger von Daniels > > Handelsregister/ Commercial Register: Amtsgericht/Local Court > > Stendal: HRB: 111420 > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
