This is a work in Progress! Issues must be raised w/ full details + PCAP to reproduce.
When provided with the appropriate keying material, the TCP protocol module can attempt decryption TLS connections and display the application data traffic in real-time.
Internally, the master-secret exchanges are captured, dissected and leveraged to passively regenerate the required decryption keys. Decryption can only be attempted for scenarios including the full client-server handshake (to be extended)
- TLS_RSA_WITH_AES_256_GCM_SHA384
- RSA_PKCS1_PADDING
- TLS_DH* (Diffie-Hellman)
apt-get install -y libgcrypt20 libgcrypt-dev libssl-dev
./build.sh
./configure --enable-tls
make && sudo make install
Configure the full path to the required private-key to decrypt RSA/TLS traffic:
<?xml version="1.0"?>
<document type="captagent_module/xml">
<module name="protocol_tcp" description="TCP Protocol" serial="2014010402">
<profile name="proto_tcp" description="TCP PROTO" enable="true" serial="2014010402">
<settings>
<param name="flow-timeout" value="180"/>
<!-- the value of private key refers to the absolute path of the key (used for decription) -->
<param name="private-key-path" value="/path/to/pvt.key"/>
</settings>
</profile>
</module>
</document>
Development demo setup leverages the default OpenSIPS rootCA.