读取HTTPS流量中的SSL和TLS数据
[英]Read SSL and TLS data in HTTPS traffic
问题描述
Is it possible to parse and store SSL and TLS data without decryption? 
无需解密就可以解析和存储SSL和TLS数据吗? Not the http headers which are encrypted but the data that is available without decryption? 不是经过加密的http标头,而是未经解密就可用的数据? I see that Wireshark is able to present this data, but I dont know how/what approach to follow. 我看到Wireshark可以呈现此数据,但是我不知道该如何/采取什么方法。 I have successfully parsed HTTP traffic but am unable to do the same for HTTPS. 我已经成功解析了HTTP流量,但是无法对HTTPS执行相同的操作。 The data I am talking about is the following: 我正在谈论的数据如下:
Can this be achieved? 能做到吗? I have the following code that captures traffic on port 443 and further forwards it to print the data like it does for my HTTP traffic on port 80. 我有以下代码捕获端口443上的流量,并进一步转发它以打印数据,就像对端口80上的HTTP流量一样。
payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + size_tcp);
/* Compute tcp payload (segment) size */
size_payload = ntohs(ip->ip_len) - (size_ip + size_tcp);
printf("%s:", inet_ntoa(ip->ip_src));
printf("\n");
printf("%d ", ntohs(tcp->th_sport));
printf("\n");
printf("%s:", inet_ntoa(ip->ip_dst));
printf("\n");
printf("%d ", ntohs(tcp->th_dport));
printf("\n");
if (ntohs(tcp->th_sport) == 443)
{
printf("Payload:- ");
print_payload(payload, size_payload);
}
else if (ntohs(tcp->th_dport) == 443)
{
printf("Payload:- ");
print_payload(payload, size_payload);
}
The HTTP traffic prints just right, but in this case the output is all jumbled up characters. HTTP流量打印正确,但是在这种情况下,输出都是混乱的字符。
Output: 输出:
52.114.128.9
443
10.8.25.7
55605
Payload:- ]4=]?).-`9)}e`B_.Zp*$'AJ}/)K.P;7%-=1dV2qN,fxU?A2{h;/TEi7("Bc`;Op<?TS8O]WhX_D]O<Zi*}aGg~`@ff)3!i[ieYm(-/JP'"+kOHNwmE 3jZBX[*y`{OR9w'!1SM
I'd be grateful if somebody could help me get through this, or atleast point me to a direction where I could work it out. 如果有人可以帮助我解决这个问题,或者至少将我指出可以解决的方向,我将不胜感激。 Thanks in advance 提前致谢
1 个解决方案
解决方案1
1 已采纳 2018-11-26 17:48:57
TLS builds on TCP which provides host-to-host connectivity at the transport layer ( layer 4 ). TLS基于TCP,TCP在传输层( 第4层 )提供主机到主机的连接。 This means that you can always parse layer 4 and lower information (such as IP or TCP) since it is not protected by TLS at all. 这意味着您可以始终解析第4层和下层信息(例如IP或TCP),因为它根本不受TLS保护。
Above layer 4, you can see (and parse) the unencrypted TLS handshake that initiates the encryption connection (*). 在第4层上方,您可以看到(并解析)启动加密连接(*)的未加密TLS握手。 Afterwards, all data above layer 4 is encrypted and you can only see what appears to be random data. 之后,第4层以上的所有数据都将被加密,您只能看到看似随机的数据。 Since HTTP lives above layer 4, you should never see any unencrypted HTTP traffic. 由于HTTP位于第4层之上,因此您永远不会看到任何未加密的HTTP流量。
(*) TLS 1.3 encrypts part of the handshake. (*)TLS 1.3加密部分握手。 See this answer . 看到这个答案 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.