Saturday, 24 November 2012

OpenELEC Raspberry Pi - Build R12577

Time for another new image. The OpenELEC guys have added something pretty cool to this release. If you've got a new Pi with 512MB of RAM it can run OpenELEC entirely from RAM! I can't test this myself because I've got a first revision, but Matt @ RaspPiBeginners has tested it out and it works well.

OpenELEC R12577 - Raspberry Pi 1GB image

Tuesday, 13 November 2012

F5 and Websockets

UPDATE: Well even though the F5 engineer swore that websockets were unsupported - it appears a bug has appeared with relation to handling of websockets and according to - they now work as of TMOS >= 11.4

If you're interested in getting some shiny new HTML5 websockets working through an F5 load balancer with HTTP profiles enabled, you're in for some disappointment.
Despite websockets being documented in the RFC as proxy compatible - they don't work through an F5 when you are using full-proxy mode (i.e. you have an HTTP profile assigned). This looks to be down to the websockets connection sending an 'upgrade' notification to the client which turns the HTTP connection into a standard TCP connection (still on port 80/443 however but not strictly HTTP).

Anyway, unless you know of some hardcore iRule magic - I had to have a bit of an architectural rethink. Our websockets application on the backend works off of a virtual host which has the websockets proxy enabled on it. It runs on the same server as the main web application so you can see where disabling the HTTP profile becomes a problem if I want to run any iRules relating to HTTP. The way we've got around it is to create a new public virtual server then redirect any connections going to the /websocket  to the new virtual server using an iRule. On the new virtual server - you still assign an HTTP profile and then create an iRule so that only connections to the /websocket path go to the virtual server and anything else is redirected back to the main VS. It's a bit of a crude solution, but it's simple enough to do the job. For what it's worth, websockets support is in the pipeline apparently.
So for the iRules...

iRule for VS_main_web_app

if {[HTTP::URI] starts_with '/websocket'}
  HTTP::redirect ""

iRule for VS_websocket_only

if {![HTTP::URI] starts_with "/websocket"}
  HTTP::redirect ""

Sunday, 11 November 2012

SSL Decryption with Wireshark (Private key and Pre-Master secret)

Troubleshooting communication problems with Wireshark can be difficult at the best of times, yet alone when the connection is encrypted with SSL/TLS.
There are a couple of ways you can approach decrypting the SSL/TLS traffic. One assumes you have root access to the server you are having problems with and you're able to obtain a copy of the public and private key. If you only have access to the server as a client with no special privileges, there are still a couple of ways to take look at the encrypted data.

Before you look at either method, it would be useful to do a little background reading on SSL/TLS as the encryption methods might not work quite as you think.
In a nutshell, when a client (in most cases, a web browser) makes a connection to a web server requiring SSL/TLS encryption - the encrypted channel is setup using a symmetric session key. This key is a random string generated by the client and then encrypted and transmitted using the servers public key, known as the Pre-master Secret. Once shared, the client and server use this shared key to encrypt and decrypt traffic. There's a more detailed version of this here, but knowing this you be able to see how you can decrypt the traffic using the SSL session key or the servers private key.

Method 1 : Decrypting the traffic with the server private key.

  1. You'll need the private key from the server first. This can be hidden in a variety of locations so you'll have to refer to your server documentation for where to find it. Usually it will be a single file with an extension of .CRT, .PEM, .DER or in some cases .PFX or .P12. The latter two are certificate containers which contain the private key, public key and the certificate of the issuing CA.
  2. Once you've found the private key, it will make things easier if they're in PEM format with an unencrypted key. The best way to do the conversion is to use OpenSSL. It can be a bit confusing at first but you'll soon get used to how it works. There is a good selection of commands here (they also offer an upload / convert tool. Not to say they're not trustworthy, but I wouldn't recommend giving your private key to anyone. Ever.)
  3. Now you have the private key, you'll need to load this into Wireshark and configure it to use this key for any traffic to or from your web server. Go to Edit > Preferences. Then Protocols > SSL. Next to the RSA keys list text, click the edit button. From here select the servers private key and enter the IP address of the web server that will be present in the capture. Select port 443 (or whichever port your application runs on) and the protocol which is inside the encrypted tunnel. In most cases, this will be HTTP but could be IMAP, SMTP etc. The password field can be left blank if you've saved the key in an unencrypted form, otherwise provide the password here. Click OK until you're back to the Wireshark main screen.
  4. Now start the capture and generate some encrypted traffic to your web server. Make sure you are using a totally new session. Clearing the cache then closing and reopening your browser would be ideal. Stop the capture when you've generated a few connections.
  5. Back in the main window, you should now find that the SSL wrapping has been removed and you're able to view the protocol details within.

Method 2: Decrypting with Pre-Master Secrets

This method is relatively new to Wireshark and allows you decrypt the encrypted traffic using the Pre-Master Secret which is generated by the client. By default, this key isn't logged anywhere for obvious reasons but with Chrome it's possible to set an environment variable and have these written to disk.
  1. (Windows 7) Right click on 'My Computer' and then go to properties.Then click Advanced System Settings > Environment Variables. Then under system variables - create a new variable named SSLKEYLOGFILE with the value being a text file. In this case I went with C:\premaster.txt. Click OK through all open dialogs. I've found this didn't take effect immediately and needed a reboot before it started logging.
  2. Back in Wireshark, head to Edit > Preferences > Protocols > SSL. Under the option for '(Pre)Master-Secret log file name' - select your log file you created above (so C:\premaster.txt).
  3. Start your capture in Wireshark and then generate a few SSL connections in Chrome. Stop the capture when you're done.
  4. In Wireshark, you should again see that your encrypted traffic is now unwrapped ready for some troubleshooting. If you don't, check the pre-master file you've created exists and has some contents. If not you should double check your environment variable.

These is of course a much easier method for looking into encrypted traffic if you're only looking at HTTP traffic (or traffic that supports a proxy setting) and that's to use Fiddler. Fiddler is an excellent local proxy application which can perform SSL termination and re-encryption (otherwise known as 'man-in-the-middle' / MITM). If you don't need a full packet capture and can make do with the HTTP requests and responses this might save you a lot of pain.