Intro #
SSL services are more and more critical and we need to ensure that we’re using newer TLS protocol versions and secured ciphers. But, in the real life, where our services have different types of clients with different kinds of devices, we need to ensure connectivity to our secured services.
So, it could be useful to identify which clients are connecting (or trying to connect) to our SSL services. In that case, you can use the tool tcpdump for a load balancer or any Linux server.
Executing tcpdump with SSL filter #
The command tcpdump in the load balancer or Linux server allows to filter by TCP fields, so we’ve to match the bytes according to the version number of the SSL packets found in the 12th position. Also, as different positions could be found for SSLv2, SSLv3, TLS1.0 or TLS1.1, a composition of several filters should be used:
root@noid-ee-01:~$ tcpdump -i any -n "(((tcp[((tcp[12] & 0xf0) >> 2)] = 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x17)) && (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03 && (tcp[((tcp[12] & 0xf0) >> 2)+2] < 0x03))) || (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >> 2)+1] = 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+9] = 0x03) && (tcp[((tcp[12] & 0xf0) >> 2)+10] < 0x03) || (((tcp[((tcp[12] & 0xf0) >> 2)] < 0x14) || (tcp[((tcp[12] & 0xf0) >> 2)] > 0x18)) && (tcp[((tcp[12] & 0xf0) >> 2)+3] = 0x00) && (tcp[((tcp[12] & 0xf0) >> 2)+4] = 0x02))"
The command will be waiting until the manual cancellation of the command with Crtl+C.
Testing the SSL filter #
To test the SSL connection against a server with a certain SSL protocol, you can use openssl in the client side, like it is shown below with a successful connection.
client:~$ openssl s_client -connect 192.168.56.10:443 -tls1 CONNECTED(00000003) [...] --- Certificate chain [...] --- Server certificate -----BEGIN CERTIFICATE----- MIID8DCCAtigAwIBAgIJAJ22cPNVcSZYMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD VQQGEwJFUzEOMAwGA1UECAwFU3BhaW4xDjAMBgNVBAcMBVNwYWluMRMwEQYDVQQK DApaZXZlbmV0IFNMMRswGQYDVQQLDBJUZWxlY29tbXVuaWNhdGlvbnMxCjAIBgNV [...]
Having to change the server and port desired. Also, you can change the parameter -tls1 for the desired protocol to be used.
Interpreting the results #
In the server side, you’ll see something like this:
root@noid-ee-01:~$ tcpdump [...] tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 12:20:46.984131 IP 192.168.56.1.58286 > 192.168.56.10.444: Flags [P.], seq 1580373103:1580373207, ack 4195613909, win 502, length 104 12:20:46.988648 IP 192.168.56.10.444 > 192.168.56.1.58286: Flags [P.], seq 1:1414, ack 104, win 29, length 1413 [...]
The IP address 192.168.56.1 is detected as unsecure connection to the service 192.168.56.10.444 in the server.
