Every company develops tools for internal use, and many companies base these tools on existing sources. Correlsense is no exception, and we decided to share the changes we made to code we found online for the benefit of the community.
So why did we need SSL decryption anyway? Well, we didn’t…
Network traffic analysis is an integral part of our Application Performance Monitoring technology. For this reason, one of the first tools we needed to create was a tool that could replay captured traffic for offline analysis by our code, for both troubleshooting and testing. We used libpcap for low-level capture file access, but we also needed TCP stream reassembly, since our code handles application traffic.
Initially, we used libnids. However, at some point it proved to be a little outdated and we set out to find a replacement. After some searching we found DSSL, which did (almost) everything we wanted. It even includes a sample tool that does a similar job to ssldump.
As development progressed, we realized the value of the tool we had created, and began to play around with the code – especially with the decryption of SSL traffic.
We soon found out that it worked very nicely, but had one big shortcoming – it was also a little outdated and did not support SSL/TLS protocol versions newer than TLSv1.
As a result, we extended the code, and after upgrading the version of OpenSSL, we managed to get the tool to decrypt modern HTTPS traffic.
Feel free to comment, fork, and contribute.
About the Author: Zvika Meiseles is the CTO of Correlsense and has over 20 years’ of software development experience − ranging from embedded, low-level driver development and hardware integration to scripting and back-end programming. Zvika also manages the Data Collection team which he helped establish.