I have worked through a mini-SSL obsession for the past week or so. It is distracting me from SPDY proper, so hopefully I can kick the habit soon. Still, with SPDY being built on top of SSL, it is an important thing for me know better than I did. And so the obsession continues for one more day.
Although I was able to get Wireshark decrypting SSL packets for requests to Apache, I could not do the same for SPDY packets to an NPN-enabled eventmachine (courtesy Carson McDonald). Acking through eventmachine, I find this line in
ext/ssl.cpp:SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");WTF? The
DES-CBC3-SHA cipher that is being explicitly excluded there is the one that I want to use (it worked last night and is among a handful of RSA key exchange ciphers). For now, I change that line to:
SSL_CTX_set_cipher_list (pCtx, "DES-CBC3-SHA");And re-build the gemspec:
chris@chris-VirtualBox:~/repos/eventmachine$ rake gemAnd build and install the gem itself:
(in /home/chris/repos/eventmachine)
rake-compiler must be configured first to enable cross-compilation
rake-compiler must be configured first to enable cross-compilation
rake-compiler must be configured first to enable cross-compilation
rake-compiler must be configured first to enable cross-compilation
Successfully built RubyGem
Name: eventmachine
Version: 1.0.0.beta.3
File: eventmachine-1.0.0.beta.3.gem
mv eventmachine-1.0.0.beta.3.gem pkg/eventmachine-1.0.0.beta.3.gem
chris@chris-VirtualBox:~/repos/eventmachine$ gem install pkg/eventmachine-1.0.0.beta.3.gemBack in the SPDY gem, I am still using the NPN server from Carson's gist explicitly using the keys from yesterday:
Building native extensions. This could take a while...
Successfully installed eventmachine-1.0.0.beta.3
1 gem installed
start_tls(:private_key_file => 'key.pem', :cert_chain_file => 'cert.pem', :verify_peer => false)With that, I can start up Wireshark, the NPN server and access it with Chrome:
chris@chris-VirtualBox:~/repos/spdy/examples$ ruby ./npn_spdy_server.rbBack in Wireshark, I see three green (decrypted) packets:
[:SPDY, :connection_closed]
[:SPDY_HEADERS, {"accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "accept-charset"=>"ISO-8859-1,utf-8;q=0.7,*;q=0.3", "accept-encoding"=>"gzip,deflate,sdch", "accept-language"=>"en-US,en;q=0.8", "cache-control"=>"no-cache", "host"=>"localhost:10000", "method"=>"GET", "pragma"=>"no-cache", "scheme"=>"https", "url"=>"/", "user-agent"=>"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.16 Safari/534.30", "version"=>"HTTP/1.1"}]
[:SPDY, :sent, :SYN_REPLY]
[:SPDY, :sent, :DATA]
[:SPDY, :sent, :DATA_FIN]
[:SPDY, :connection_closed]
Yay! I have finally achieved the magic combination of SPDY-enabled backend, viable cipher for SSL packet sniffing, and tool capable of reading those packets.
As a bonus, Wireshark has some very SPDY-friendly capabilities. Clicking on the second of the three SPDY packets (a response from the server):
In the middle pane, I see a bunch of information about the packet (TCP/IP information and the like) including that there were three separate data segments in the packet (the SYN_REPLY, DATA, and DATA_FIN shown in the
npn_spdy_server.rb output above). Even nicer, I can see the contents of those segments in separate tabs in the bottom most pane. Shown is the DATA response verifying that SPDY is working—in hex and ASCII. Nice.So the magic combination that I need right now is:
- RSA Key Exchange cipher suite like
DES-CBC3-SHA(others do not work) - An openssl-generated server key (simple instructions or Ubuntu's nicely detailed instructions)
- The SPDY Gem
- Carson McDonald's NPN enabled fork of eventmachine (in the tls-npn branch)
- 32 bit OS
- Carson's npn_spdy_server.rb + modification (see above) to use the key generated by openssl
- Modification (see above) to eventmachine to use an RSA key-exchange cipher
- Edge-openssl (instructions)
- Wireshark
Thus endeth my SSL obsession. Tomorrow, I return to SPDY proper.
Day #12
No comments:
Post a Comment