> On 30/09/2020 18:06 Kurt Jaeger <dovecot at opsec.eu> wrote:
>
>
> Hi!
>
> My question is: can dovecot be used to debug/decrypt TLS sessions ?
>
> The reason I'm asking:
>
> A custom application wants to speak IMAP with TLS with a dovecot
> instance.
>
> It fails, and the error message is, unfortunatly, not very helpful.
> tcpdump shows that the session is established, but fails. The custom
> application says error 60000, not much more.
>
> There is a way to decode TLS sessions in some cases:
>
> https://wiki.wireshark.org/TLS
>
> using firefox and the enviroment variable SSLKEYLOGFILE.
>
> Basically, the TLS client (firefox), while negotiating keys with the
> other side, writes those logfiles to a logfile specified by SSLKEYLOGFILE
> and at the same time, wireshark is used to capture / write the pcap
> of the session.
>
> Then wireshark can be used to decode the contents of the TLS-encrypted
> session.
>
> Is something similiar possible with dovecot as the server and
> from the server side ?
>
> Is, by chance, the session=<...> value already such a key so that
> a tcpdump pcap file would be able to descrypt that session ?
>
> Sep 29 08:51:30 imap-login: Info: Login: user=<someuser>,
method=PLAIN, rip=<someip>, lip=<someotherip>, mpid=63667, TLS,
session=<GGF0Nm6wxy0qAQHoAAMAAwAAAAAAAAAB>
>
> --
> pi at opsec.eu +49 171 3101372 Now what ?
Hi!
If rawlogs did not have a bug, you would be able to use that to log what the
client is sending/receiving.
But, unfortunately that does not work, it's broken with TLS, so you need to
workaround this bit:
return from passdb
proxy_maybe=y host=127.0.0.2
to connect to localhost again, unencrypted. then add
protocol imap {
rawlog_dir=%h/rawlogs/
}
then create rawlogs directory under user home directory, with mode 0777, and it
should store input/output transcripts per session.
remember to disable these after using them!
Aki