qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakub Scholz <ja...@scholz.cz>
Subject Re: AW: AMQP blog
Date Sun, 30 Aug 2015 21:03:12 GMT
The problem is that very often one doesn't have the server key - for
example because the server is operated by another party. I also believe
that the decoding would not work with one of the new modern cipher suites
with forward secrecy even when you have the server key. If really needed, I
don't think it would be that complicated to setup a proxy to terminate the
SSL part of the connection before it reaches the client and dump the
traffic unencrypted there - but that is not that secure anymore. Luckily,
the frame tracing built in most clients is often enough to solve the
problems.

Jakub

On Fri, Aug 28, 2015 at 4:43 PM, Paolo Patierno <ppatierno@live.com> wrote:

> With Wireshark you are able to decrypt SSL traffic if you have the server
> private key in the PEM format (Base64 encoded).
>
> Following my current scenario ...
>
> I created a self signed CA certificate (just for testing) and a server
> certificate signed with previous CA certificate. I have the sample AMQP
> test broker available with AMQP .Net Lite library up and running that
> accepts traffic on 5671 port using the above server certificate. With my
> client (using AMQP .Ney Lite) I'm able to send encrypted messages to the
> broker.
>
> Last step is to use my self generated (with openssl) server private key to
> decrypt this traffic inside Wireshark.
>
> I'm blocked on this step because when I try to add my RSA private key in
> the related list, Wireshark warnings me that a dissector for amqp protocol
> isn't available and shows me all the available dissectors (spdy as TCP on
> 443 and so on ...).
> I asked a question on Wireshark forum to add amqp as available dissector
> to decrypt traffic. It's very strange because Wireshark is already able to
> decode clear AMQP traffic on port 5672.
>
> However, if you have private key you are able to decode SSL traffic using
> Wireshark. This feature is available in Fiddler too (in that case only for
> HTTPS traffic).
>
> Paolo
>
> Sent from my Windows Phone
> ________________________________
> From: aconway<mailto:aconway@redhat.com>
> Sent: ‎28/‎08/‎2015 14:31
> To: users@qpid.apache.org<mailto:users@qpid.apache.org>
> Subject: Re: AW: AMQP blog
>
> On Fri, 2015-08-28 at 06:46 +0000, Aschenbrenner, Erik wrote:
> > Hi Paolo, hi Chuck!
> >
> >
> > Nice to see some other AMQP experts here on the user list.
> >
> > In your blogs you deal with Wireshark to trace and dissect AMPQ
> > traffic. Did you ever try to dissect encrypted AMQP traffic with
> > Wireshark? Because in real word AMQP traffic may be encrypted (at
> > least in the one real world application I'm working on). In the
> > Wireshark forum (https://ask.wireshark.org/questions/43961/amqp-10-tr
> > affic-not-dissected-with-wireshark-1126) the creator of the AMQP
> > dissector for Wireshark said that there is now way to decode
> > encrypted traffic in Wireshark. Maybe this would be an idea for
> > another blog post to find out if this is true ;-)
> >
>
> This is not a problem specific to AMQP. The point of encryption is to
> make it impossible to read the encrypted data, wireshark can't do
> anything to get around that.
>
> It is a "layered" problem - for example the TCP headers of an encrypted
> SSL connection are not themselves encrypted otherwise they couldn't be
> routed. So wireshark can show you that there are TCP packets with SSL
> encrypted contents, but can't show you the content.
>
> All the Qpid tools use SSL or SASL to create a fully encrypted "tunnel"
> through which AMQP traffic passes. There's no way for wireshark to see
> inside this tunnel. An application could encrypt just the message
> contents and leave the AMQP protocol in the clear but I don't think
> that is common practice.
>
>
> > Regards,
> > Erik
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Paolo Patierno [mailto:ppatierno@live.com]
> > Gesendet: Freitag, 28. August 2015 08:27
> > An: users@qpid.apache.org
> > Betreff: RE: AMQP blog
> >
> > Hi Chuck,
> > nice and very useful article !
> > Articles like these help people to understand better AMQP
> > specification.
> >
> > I'd like to add my three part series of "AMQP type system explained
> > by examples". I used AMQP .Net Lite too.
> >
> > https://paolopatierno.wordpress.com/2015/07/20/amqp-protocol-the-buil
> > tin-type-system-by-examples/
> >
> > https://paolopatierno.wordpress.com/2015/07/23/amqp-on-the-wire-messa
> > ges-content-framing/
> >
> > https://paolopatierno.wordpress.com/2015/07/24/amqp-message-accepted-
> > encoding-on-the-wire/
> >
> > Thanks,
> > Paolo
> >
> >
> > Sent from my Windows Phone
> > ________________________________
> > From: Chuck Rolke<mailto:crolke@redhat.com>
> > Sent: ‎27/‎08/‎2015 23:36
> > To: users@qpid.apache.org<mailto:users@qpid.apache.org>
> > Subject: AMQP blog
> >
> > I've got a blog series going and I've just posted "AMQP Illustrated",
> > an article that might be of interest here.
> > Please see
> > https://chugrolke.wordpress.com/2015/08/27/amqp-illustrated/
> >
> > To date my series of blogs has been focused on the Apache ActiveMQ
> > AMQP broker and Microsoft AMQP.Net Lite client, neither of which is
> > under the Qpid umbrella. AMQP Illustrated is different. It dissects a
> > simple HelloWorld example and explains the AMQP activity that happens
> > over the wire. The illustration part is a web page with loads of AMQP
> > smarts that helps you see what's going on at a high level and still
> > easily drills down into the details.
> >
> > I have a github project https://github.com/ChugR/Adverb that contains
> > the network-trace-to-web-page logic. Check it out and let me know if
> > it is useful for you.
> >
> > -Chuck
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> > additional commands, e-mail: users-help@qpid.apache.org
> >
> > --
> > icubic AG
> > Mittelstraße 10
> > 39114 Magdeburg
> > Germany
> >
> > Tel.: +49 391 59 80 9-0
> > Fax: +49 391 59 80 9-99
> >
> > info@icubic.de
> > <mailto:info@icubic.de>www.icubic.de
> > <http://www.icubic.de/>
> > Vorstandsvorsitzender/ Chairman of the Board: Dietmar Jakal
> > Vorstand/ Board of Directors: Dietmar Jakal, Andreas Nold, Jürgen
> > Pfister
> > Aufsichtsratsvorsitzender/ Chairman of the Supervisory Board: Dr.
> > Holger von Daniels
> > Handelsregister/ Commercial Register: Amtsgericht/Local Court
> > Stendal: HRB: 111420
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > For additional commands, e-mail: users-help@qpid.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message