7

Is there some environment variable that works how SSLKEYLOGFILE works for NSS-reliant programs but which would apply to all outgoing TLS / SSL connections on a Linux server and not just ones that use NSS?

Specifically I want to do a tcpdump of the traffic from the exim daemon to all foreign hosts to try to debug an issue and I need to be able to decrypt it afterwards.

In case it's helpful, running ldd /usr/sbin/exim lists the following libraries (among others of course).

libssl.so.10
libcrypto.so.10
sa289
  • 317
  • 3
  • 11

1 Answers1

8

The NSS SSL Keylog file is a non-obtrusive way to extract SSL session keys from an application using the NSS library for SSL/TLS, but there is no standard way to do the same in all applications. (A generic approach would involve a man in the middle attack, but this is not really non-obtrusive.)

The idea of the extracting session keys directly from the application is more widely applicable though. libssl.so suggests that OpenSSL is in use on a (likely) Linux platform. You can either use use LD_PRELOAD to interpose the OpenSSL library (may not work in all cases) or attach a debugger with appropriate breakpoints. Both approaches are documented and explored further in Extract pre-master keys from an OpenSSL application.

As an additional tip for troubleshooting, while Wireshark 1.12 is able to decrypt the TLS application data (and Follow SSL stream can be used to look at the communication), it does not dissect the SMTP traffic which occurs after a STARTTLS handshake (SMTPS is unaffected). In Wireshark 2.0 (tentative release date in November 2015, pre-release versions are available) the SMTP protocol is correctly recognized after STARTTLS.

Lekensteyn
  • 5,958
  • 5
  • 38
  • 62