Skip to content

Instantly share code, notes, and snippets.

@alex-tomin

alex-tomin/Readme.md

Created September 12, 2023 02:15
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alex-tomin/2975ae510cd906aad978be143f3f0eb3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alex-tomin/2975ae510cd906aad978be143f3f0eb3 to your computer and use it in GitHub Desktop.
Download ZIP
How to Debug TLS/SSL session for ESP8266 with Wireshark
Raw
Readme.md

How to Debug TLS/SSL session for ESP8266 (WiFiClientSecure) with Wireshark

Check this link for ESP32

Modify WiFiClientSecureBearSSL.h to write secrets

if you develop via PlatformIO you cna find the file C:\Users\<user>\.platformio\packages\framework-arduinoespressif8266\libraries\ESP8266WiFi\src\WiFiClientSecureBearSSL.h If you are using VSCode - it can navigate to sources nicely.

  1. Move *_eng declaration to public section for WiFiClientSecureCtx class
class WiFiClientSecureCtx : public WiFiClient {
  public:
  /// ....
+   br_ssl_engine_context *_eng; // &_sc->eng, to allow for client or server contexts
  protected:
    bool _connectSSL(const char *hostName); // Do initial SSL handshake

  private:
    void _clear();
    void _clearAuthenticationSettings();
    // Only one of the following two should ever be != nullptr!
    std::shared_ptr<br_ssl_client_context> _sc;
    std::shared_ptr<br_ssl_server_context> _sc_svr;
-   br_ssl_engine_context *_eng; // &_sc->eng, to allow for client or server contexts
    inline bool ctx_present() {
  1. Add LogSecret function to the second class (WiFiClientSecure)
class WiFiClientSecure : public WiFiClient {

public:

  void LogSecret() { 
    br_ssl_engine_context *eng =_ctx->_eng;

    Serial.println("   ------SSLKEYLOGFILE Format------------  ");
    Serial.print("CLIENT_RANDOM ");
    for (size_t i = 0; i < 32; i++)
    {
        Serial.printf("%02x", eng->client_random[i]);
    }

    Serial.print(" ");
    for (size_t i = 0; i < 48; i++) // (fixed length: 48 bytes).
    {
        Serial.printf("%02x", eng->session.master_secret[i]);
    }
 }

Update Code to write secrets.

  const char *mqtt_server = "azuregrid.ts.eventgrid.azure.net";
  MyWiFiClientSecure wifiClient;

 ////    and later in code

  wifiClient.setCACert(ca_pem);
  wifiClient.setCertificate(certPem); // for client verification
  wifiClient.setPrivateKey(certPem);	// for client verification

  wifiClient.connect(mqtt_server, 8883)) // update your server and port
  
  // Call the methos we just added
  wifiClient.LogSecret();
  1. Example Output:
  CLIENT_RANDOM 0000000ae1c960a3d7fc36d064dcb83edf8acf26768d8fc5fd8d1004dd096478 8aed96f7b6f0c7a54682c216a36a088e888e655873e407ab43de5f559c10a53684706feb5da86f711a764038196785fa
  1. Use Mobile hotspot in windows (for Wireshark to listen to) and update your ESP32 to connect to that wifi network
  2. To decrypt, add the client random line from the Serial logs to secretlog.txt.
  3. Add this file to WireShark:
    • Edit -> Preferences -> Protocols -> TLS -> (Pre)-Master-Secret log filename.
  4. Also Edit -> Preferences -> Protocols -> TCP:
    • Allow subdissector to reassemble TCP streams - Reassemble out-of-order segments (since Wireshark 3.0, disabled by default)
  5. (optional) Import client certificate to WireShark. Edit -> Preferences -> RSA Keys. In this dialog, use the Add new keyfile.
  6. Start capturing in WireSahrk and then start your ESP to sniff the traffic.
    • Note: for each session another client random line will be logged and you need to manually to add it to the secrets file.
    • You may need to change file name in wirechark settings and then change back for the values to reload (wireshark reloads file automatically on new session, but WireShark won't find the relevant ones until we copy manually later)

Links

This blog post helped me a lot: https://adrianalin.gitlab.io/popsblog.me/posts/decrypt-mqtt-tls-traffic/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment