Ted Middleton Ted Middleton - 3 months ago 13
C Question

How do I extract the pre-master secret using an OpenSSL-based client?

I have an application I'm making that uses OpenSSL 1.0.2 and I'd like to examine the traffic with Wireshark. Wireshark can (allegedly) decrypt TLS conversations provided you give it the pre-master secret.

If I'm using a cipher suite like

TLS_RSA_WITH_AES_256_CBC_SHA256
; can anyone tell me how to get the pre-master secret out of an
SSL
or
SSL_CTX
struct? I'm OK with hacking opaque structures within the
SSL
object - this isn't for anything that would ship in a product; I just want to know how to populate a pre-master secret file for Wireshark.

Answer

I recommend using the master key, which is easier to get at. To the best of my knowledge the pre-master key only exists ephemerally on the stack in OpenSSL. The master key is available in ssl_session_st (defined in ssl.h in the 1.0.2 branch but moved to ssl_locl.h in a later version). The SSL member variable session is a pointer to its ssl_session_st (aka SSL_SESSION).

Wireshark can use the master key as well as the pre-master key to decrypt connections. Here are the formats that Wireshark supports as of this writing:

  • RSA xxxx yyyy Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded) Where yyyy is the cleartext pre-master secret (hex-encoded) (this is the original format introduced with bug 4349)

  • RSA Session-ID:xxxx Master-Key:yyyy Where xxxx is the SSL session ID (hex-encoded) Where yyyy is the cleartext master secret (hex-encoded) (added to support openssl s_client Master-Key output) This is somewhat is a misnomer because there's nothing RSA specific about this.

  • PMS_CLIENT_RANDOM xxxx yyyy Where xxxx is the client_random from the ClientHello (hex-encoded) Where yyyy is the cleartext pre-master secret (hex-encoded) (This format allows SSL connections to be decrypted, if a user can capture the PMS but could not recover the MS for a specific session with a SSL Server.)

  • CLIENT_RANDOM xxxx yyyy Where xxxx is the client_random from the ClientHello (hex-encoded) Where yyyy is the cleartext master secret (hex-encoded) (This format allows non-RSA SSL connections to be decrypted, i.e. ECDHE-RSA.)

Note that neither the pre-master key nor the master key is the symmetric key (your question title implies that you may think it is). The symmetric key is derived from the master key and client/server random data.