Friday, May 6, 2011

Wireshark is Pretty Awesome for SPDY Sniffing

‹prev | My Chain | next›

I have worked through a mini-SSL obsession for the past week or so. It is distracting me from SPDY proper, so hopefully I can kick the habit soon. Still, with SPDY being built on top of SSL, it is an important thing for me know better than I did. And so the obsession continues for one more day.

Although I was able to get Wireshark decrypting SSL packets for requests to Apache, I could not do the same for SPDY packets to an NPN-enabled eventmachine (courtesy Carson McDonald). Acking through eventmachine, I find this line in ext/ssl.cpp:
       SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");
WTF? The DES-CBC3-SHA cipher that is being explicitly excluded there is the one that I want to use (it worked last night and is among a handful of RSA key exchange ciphers).

For now, I change that line to:
       SSL_CTX_set_cipher_list (pCtx, "DES-CBC3-SHA");
And re-build the gemspec:
chris@chris-VirtualBox:~/repos/eventmachine$ rake gem
(in /home/chris/repos/eventmachine)
rake-compiler must be configured first to enable cross-compilation
rake-compiler must be configured first to enable cross-compilation
rake-compiler must be configured first to enable cross-compilation
rake-compiler must be configured first to enable cross-compilation
Successfully built RubyGem
Name: eventmachine
Version: 1.0.0.beta.3
File: eventmachine-1.0.0.beta.3.gem
mv eventmachine-1.0.0.beta.3.gem pkg/eventmachine-1.0.0.beta.3.gem
And build and install the gem itself:
chris@chris-VirtualBox:~/repos/eventmachine$ gem install pkg/eventmachine-1.0.0.beta.3.gem
Building native extensions. This could take a while...
Successfully installed eventmachine-1.0.0.beta.3
1 gem installed
Back in the SPDY gem, I am still using the NPN server from Carson's gist explicitly using the keys from yesterday:
     start_tls(:private_key_file => 'key.pem', :cert_chain_file => 'cert.pem', :verify_peer => false)
With that, I can start up Wireshark, the NPN server and access it with Chrome:
chris@chris-VirtualBox:~/repos/spdy/examples$ ruby ./npn_spdy_server.rb 
[:SPDY, :connection_closed]
[:SPDY_HEADERS, {"accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "accept-charset"=>"ISO-8859-1,utf-8;q=0.7,*;q=0.3", "accept-encoding"=>"gzip,deflate,sdch", "accept-language"=>"en-US,en;q=0.8", "cache-control"=>"no-cache", "host"=>"localhost:10000", "method"=>"GET", "pragma"=>"no-cache", "scheme"=>"https", "url"=>"/", "user-agent"=>"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.16 Safari/534.30", "version"=>"HTTP/1.1"}]
[:SPDY, :sent, :SYN_REPLY]
[:SPDY, :sent, :DATA]
[:SPDY, :sent, :DATA_FIN]
[:SPDY, :connection_closed]
Back in Wireshark, I see three green (decrypted) packets:



Yay! I have finally achieved the magic combination of SPDY-enabled backend, viable cipher for SSL packet sniffing, and tool capable of reading those packets.

As a bonus, Wireshark has some very SPDY-friendly capabilities. Clicking on the second of the three SPDY packets (a response from the server):



In the middle pane, I see a bunch of information about the packet (TCP/IP information and the like) including that there were three separate data segments in the packet (the SYN_REPLY, DATA, and DATA_FIN shown in the npn_spdy_server.rb output above). Even nicer, I can see the contents of those segments in separate tabs in the bottom most pane. Shown is the DATA response verifying that SPDY is working—in hex and ASCII. Nice.

So the magic combination that I need right now is:That's a bit of a laundry list, but it is good to know that it is do-able.

Thus endeth my SSL obsession. Tomorrow, I return to SPDY proper.


Day #12

No comments:

Post a Comment