On 10/13/16 10:23 AM, Konstantin Khomoutov wrote:> On Thu, 13 Oct 2016 09:53:19 -0500 > Bryan Holloway <bryan at shout.net> wrote: > > [...] >> Is there a way to see the IMAP commands coming from the client? I've >> tried looking at PCAPs, but of course they're encrypted so I can't >> see the actual dialog going on between the server and client. I >> didn't see an obvious way to do this in the docs. > > If you have access to the SSL/TLS key (IOW, the private part of the > cert) the server uses to secure IMAP connections you can dump the IMAP > traffic using the `ssldump` utility (which builds on `tcpdump`). >I do, but the client is using a DH key exchange so I only have the server-side private key. Tried that using Wireshark's decoder features and ran into this problem. I'm assuming I'd run into the same using ssldump, but I'll give it a shot! Stupid privacy. :)
On Thu, 13 Oct 2016 10:35:14 -0500 Bryan Holloway <bryan at shout.net> wrote:> > [...] > >> Is there a way to see the IMAP commands coming from the client? > >> I've tried looking at PCAPs, but of course they're encrypted so I > >> can't see the actual dialog going on between the server and > >> client. I didn't see an obvious way to do this in the docs. > > > > If you have access to the SSL/TLS key (IOW, the private part of the > > cert) the server uses to secure IMAP connections you can dump the > > IMAP traffic using the `ssldump` utility (which builds on > > `tcpdump`). > > I do, but the client is using a DH key exchange so I only have the > server-side private key. > > Tried that using Wireshark's decoder features and ran into this > problem. I'm assuming I'd run into the same using ssldump, but I'll > give it a shot!I think DH is not the culprit: just to be able to actually decode SSL traffic, you must have the server private key when you're decoding the SSL handshake phase -- to be able to recover the session keys, which you then use to decode the actual tunneled data.
> On October 13, 2016 at 6:52 PM Konstantin Khomoutov <flatworm at users.sourceforge.net> wrote: > > > On Thu, 13 Oct 2016 10:35:14 -0500 > Bryan Holloway <bryan at shout.net> wrote: > > > > [...] > > >> Is there a way to see the IMAP commands coming from the client? > > >> I've tried looking at PCAPs, but of course they're encrypted so I > > >> can't see the actual dialog going on between the server and > > >> client. I didn't see an obvious way to do this in the docs. > > > > > > If you have access to the SSL/TLS key (IOW, the private part of the > > > cert) the server uses to secure IMAP connections you can dump the > > > IMAP traffic using the `ssldump` utility (which builds on > > > `tcpdump`). > > > > I do, but the client is using a DH key exchange so I only have the > > server-side private key. > > > > Tried that using Wireshark's decoder features and ran into this > > problem. I'm assuming I'd run into the same using ssldump, but I'll > > give it a shot! > > I think DH is not the culprit: just to be able to actually decode SSL > traffic, you must have the server private key when you're decoding the > SSL handshake phase -- to be able to recover the session keys, which > you then use to decode the actual tunneled data.You can also enable only non DH algorithms in ssl settings if rawlog isn't working for you. Aki