Restricting Java based Web Server TLS protocols for inspection by Wireshark

StackOverflow https://stackoverflow.com/questions/21958615

Frage

I am using a Java based Web Server ( PlayFramework 2.2 FWIW - see the very good write up on TLS ), and I want to debug the SSL communication for various devices, eg: Android, to see exactly what is happening on the wire as far as TLS goes. For this I can use Wireshark to decrypt the SSL layer. This works if the server does not create an Ephemeral key, as explained nicely by Steven Iveson:

Important: Ensure the use of a Diffie-Hellman Ephemeral (DHE/EDH) or RSA Ephemeral cipher suite is not negotiated between the two hosts. This is indicated by the use of a ServerKeyExchange message. There is no way to decrypt data where ephemeral ciphers are used.

The Java Secure Sockets Extension Reference Guide section on how to Disable Algorithms points to the jdk.tls.disabledAlgorithms property which I have tried setting directly in the $JAVA_HOME/jre/lib/security/java.security file to 

jdk.tls.disabledAlgorithms=DH, ECDH, EDCHE, DiffieHellman

I tried using some of the Java™ Cryptography Architecture Standard Algorithm Name Documentation as an attempt to select one of those strings, but I have been selecting a bit in the wild.

I tried setting it also using it in code to 

java.security.Security.setProperty("jdk.tls.disabledAlgorithms","ECDH, ECDHE, ECDHE_RSA, DiffieHellman")

but that does not seem to stop the the appearance of the ServerKeyExchange messages, as shown in the screenshot of Wireshark 1.11.2 on OSX: screenshot of Wireshark 1.11.2 on OSX . And indeed I don't seem to be able to decrypt the stream.

Any idea what I may be doing wrong?

War es hilfreich?

Lösung 2

I was close. The answer seems to be to set the security property as follows:

jdk.tls.disabledAlgorithms=DHE, ECDHE

(I came on that after reading the hot-off-the-press blog post: JDK 8 will use TLS 1.2 as default).

Once that is set on the server, an https connection captured by Wireshark no longer shows the Server Key Exchange message.

Wireshark on OSX showing a TLS 1.2 communication without perfect forward secrecy key negotiation

It is then possible to decrypt content that went over the wire as shown by this image

picture of unencrypted communication

I hope this will be useful when trying to analyse what Android cell phones are receiving over the wire.

Andere Tipps

Not sure if this will help, but try doing it inside a privileged block:

AccessController.doPrivileged(
  new PrivilegedExceptionAction[Unit]() {
     java.security.Security.setProperty("jdk.tls.disabledAlgorithms","ECDH, ECDHE, ECDHE_RSA, DiffieHellman")

  }
)
Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit StackOverflow
scroll top