Jonathan Hunter
2020-Sep-07 21:06 UTC
[Samba] Wireshark LDAP capture vs Diffie-Hellman / pre-master secret - key log file
Hi,
I am trying to debug a new (to me) printer, that should be able to use
AD (for LDAP / address book lookups as well as authentication).
It's been a while since I needed to dump traffic with wireshark; and
evidently it's got harder since I last tried :)
I have generated a wireshark dump on my DC, to see what the printer is
trying to do, using:
dc1$ sudo tcpdump host myprinter and port ldap -w myprinter.cap
This fills up with data - great. ("159 packets received by filter, 0
packets dropped by kernel")
As per https://wiki.wireshark.org/TLS I tried copying across
/usr/local/samba/private/tls/key.pem to the machine running
Wireshark.. but after enabling the Wireshark TLS dissector debug file
I can see:
ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 17
ssl_restore_master_key can't find pre-master secret by Unencrypted
pre-master secret
ssl_decrypt_pre_master_secret: session uses Diffie-Hellman key
exchange (cipher suite 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
and cannot be decrypted using a RSA private key file.
ssl_generate_pre_master_secret: can't decrypt pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted
pre-master secret
dissect_ssl3_handshake can't generate pre master secret
The Wireshark documentation talks a lot about a key log file that I
would need to get from Samba (in other apps it's using the
SSLKEYLOGFILE environment variable) - but I can't find any references
or documentation as to how (if at all) I can configure my Samba AD DC
to generate one of these files.
Has anyone had any success with Samba, Wireshark and Diffie-Hellman in
this scenario? From the packet dump I can see that the printer starts
a TLS session but then I can't get further to see what it's doing
next.
(Or - is anyone successfully using a Xerox 7835 and can share tips on
how to configure it / samba? :) )
Cheers,
Jonathan
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein
Seemingly Similar Threads
- debugging TLS with wireshark and a custom application ?
- [Bug 2291] New: ssh -Q kex lists diffie-hellman-group1-sha1 twice
- upgrade 2.2 to 2.3, diffie-hellman, ssl_min_protocol
- upgrade 2.2 to 2.3, diffie-hellman, ssl_min_protocol
- diffie-hellman-group-exchange-sha256 group size concerns and request
Wisdom of the Ancients
