-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wireshark Testing #6060
Wireshark Testing #6060
Conversation
Damn, just realised afterwards that Netty already did this. Would have saved me time. |
@swankjesse Is it worth landing this as a sample? |
samples/guide/src/main/java/okhttp3/recipes/kt/WiresharkExample.kt
Outdated
Show resolved
Hide resolved
samples/guide/src/main/java/okhttp3/recipes/kt/WiresharkExample.kt
Outdated
Show resolved
Hide resolved
samples/guide/src/main/java/okhttp3/recipes/kt/WiresharkExample.kt
Outdated
Show resolved
Hide resolved
samples/guide/src/main/java/okhttp3/recipes/kt/WiresharkExample.kt
Outdated
Show resolved
Hide resolved
samples/guide/src/main/java/okhttp3/recipes/kt/WiresharkExample.kt
Outdated
Show resolved
Hide resolved
samples/guide/src/main/java/okhttp3/recipes/kt/WiresharkExample.kt
Outdated
Show resolved
Hide resolved
samples/guide/src/main/java/okhttp3/recipes/kt/WiresharkExample.kt
Outdated
Show resolved
Hide resolved
This is very neat stuff. It’s unfortunate we have to jump through so many hoops to do it. |
Agreed, Conscrypt is the right place to do this. google/conscrypt#847 |
Also, I think this example makes using Wireshark really simple and compelling for debugging HTTP/2 errors. It makes me care a lot less about improving the internal frame logging since Wireshark is obviously the right tool and this works with certificate pinning, with a public webserver, and without MITM proxies. |
@swankjesse ok to land? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good stuff. I wonder how much more automatic we can make it. I can imagine us running (or printing) a command like this:
wireshark -o tls.keylog_file:/tmp/secrets.log
Agreed 100% that this is better than frame logging. Just like how Charles is better than request/response logging.
I wonder how much work it is to send keys into Wireshark without any interaction. Ie, if we run the wireshark command above while it’s already running, does “the right thing” happen? Then it could be as simple as installing an event listener and waiting for magic to happen automatically.
/** | ||
* Logs SSL keys to a log file, allowing Wireshark to decode traffic and be examined with http2 | ||
* filter. The approach is to hook into JSSE log events for the messages between client and server | ||
* during handshake, and then take the agreed masterSecret from private fields of the session. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this doc is 👌
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could probably improve with a command line
$ wireshark -o tls.keylog_file:/tmp/key.log -Y http2 -k
} | ||
} | ||
|
||
override fun secureConnectStart(call: Call) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes OkHttp event listeners look super good
samples/guide/src/main/java/okhttp3/recipes/kt/WiresharkExample.kt
Outdated
Show resolved
Hide resolved
samples/guide/src/main/java/okhttp3/recipes/kt/WiresharkExample.kt
Outdated
Show resolved
Hide resolved
samples/guide/src/main/java/okhttp3/recipes/kt/WiresharkExample.kt
Outdated
Show resolved
Hide resolved
|
||
if (tlsVersions.contains(TLS_1_3)) { | ||
println("TLSv1.3 requires an external command run before first traffic is sent") | ||
println("Follow instructions at https://github.com/neykov/extract-tls-secrets for TLSv1.3") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The agent is quite interesting. I wonder if we could detect it automatically so you don’t need to do all the work to extract the PID and log
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The agent is awesome - nice work @neykov
If you are TLSv1.3 - the agent is as automatic as you need since you can just run remotely against any running Java app. OkHttp or otherwise.
But this sample is mainly to make it simple without running additional steps internally. Not sure how to incrementally improve for now. Let's try this out ourselves debugging failures against QNAP or Go based servers :)
println("TLSv1.3 requires an external command run before first traffic is sent") | ||
println("Follow instructions at https://github.com/neykov/extract-tls-secrets for TLSv1.3") | ||
println( | ||
"Pid: ${ProcessHandle.current() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is really nice
@yschimke im working on Android emulator. How i can do the same thing to export key like that. |
@mrprona92 I don't think you can. This uses non public or stable features of specific JVMs, that don't exist on Android AFAICT. |
@yschimke thanks for your response. any suggest for me to do this by another way? i using okhttp with ssl handshake, If i export an keylog file from wireshark. Then read it from android side. is that avaiable? |
Use some sort of MITM proxy? Sorry, not sure. Worth asking in a wider forum. |
Testing outputting to a key log for assist wireshark decoding of TLS.