Building SSL-Trace

The SSL-trace tool is a sample application that comes with the 1.0.3 release of the DSSL library. DSSL is an open-source library for decrypting SSL traffic and is provided by SSL-Tech. The provided sample ssltrace dumps decrypted chunks to the standard output. For the WebTap application to reassemble the chunks into HTTP streams, additional information about each decrypted chunk is needed (specifically: to what connection does the chunk belong).

Therefore I created a small modifed version of the ssltrace tool that additionaly dumps out client address, port and server address and port to standard out.

The DSSL sources of release 1.0.3, including the modified ssltrace sample application are provided here:

I will outline the process of building the ssltrace tool in the following.

Building

In order to build ssltrace, you need to get the above sources and have a development environment installed (that is c-compiler, libc-headers, etc.). Most important you need to have the libpcap and openssl libraries as well as their headers available on your systems.

  1. Preparing your environment
    As ssltrace relies on the packet-capture library libpcap you need to have this available on your systems. As you are going to compile tcpick we also need to have the library's header files available.

    For the same reason, you also need to have openssl and its headers on your system, as the DSSL library uses openssl for decryption and key-handling. On Debian or Ubuntu systems, these libraries can quickly by installed using apt-get:

      sudo apt-get install libpcap0.7 libpcap0.7-dev libssl0.9.7 libssl-dev
    

    This will install the libraries (libpcap0.7, libssl0.9.7) as well as the header files (libpcap0.7-dev, libssl-dev).

  2. Getting the Source
    The source of DSSL are available from SSL-Tech. For getting ssltrace to work with DSSL you need the modified sources available at For the lazy copy&paste users, you will get these by issuing
         wget http://www.jwall.org/web/tap/dssl-1.0.3-chris.tar.gz
    
    Alternatively, you may simply use the original sources and apply the ssltrace-patch:
  3. Configuring and Compiling DSSL and SSL-Trace
    Compiling the DSSL library is straigt forwared. Just run the provided configure skript and compile the library and the tools using make:
          ./configure
          make
          make install    # optional
    
    As for the last make install: this is optional, though recommended. You don't need to install ssltrace right now. For trying out the WebTap you may simply start ssltrace from its source-directory.

Running ssltrace & WebTap

After you successfully built, you can start auditing SSL encrypted streams by starting ssltrace and piping its output to the WebTap monitoras shown in the following line (all in one line):

   ssltrace -i eth0 -ip <server-ip> -port 443 -key /path/to/server.key | \
      java -jar org.jwall.web.tap-0.4.8.jar -o /path/to/log-directory -type ssl

Note that for decrypting an SSL stream you need to have the server's private key available. Also note the -t ssl option given to the WebTap above, which selects the WebTap's SSLTrace input handler to be used for parsing.

Windows: As there is a Windows version of the DSSL library available at SSL-Tech, auditing https-streams should also be possible on Windows systems. However, in lack of a development environment for Windows I cannot prove/test/provide a Windows binary.