I may be able to wrangle an agreement to install ssldump. Life will be easier if I can get it done with tcpdump.
The goal is to capture the SSL handshake packets and then check for which devices are not using approved cipher suites. A make my life really easy solution would spit out the IP address of the sever and the cipher suite agreed on with the client. Though in our case both entities are servers or load balancers, it's not client in the end user sense. On Thu, Feb 25, 2016 at 07:43:56PM -0800, Martin A. Brown wrote: > > Hi there, > > >I have a group of systems that I need to monitor for use of > >approved SSL cipher suites. Wireshark is not available on them. > >tcpdump is the tool I need to use. > > >Do you know, or know someone who would know, how to contruct a > >tcpdump filter that matches only packets for the SSL handshake? > > > >Due to the volume of traffic on the systems I cannot capture > >everything and filter later. > > > >The most useful hint found so far is at: > >http://serverfault.com/questions/574405/tcpdump-server-hello-certificate-filter > > I'll take a stab at your question from a slightly different angle. > > Rather than trying to get the BPF just right for something that is a > few layers higher in the stack (and requires some stream > reassembly logic), perhaps you could try a tool that operates on the > stream. > > I know you mentioned that wireshark was not available. Are you able > to install software on these systems? If so, then you may find that > the ssldump program [0] provides you output detail that is closer to > your desired question. > > I have never used ssldump in production, but it seems a handy little > tool: > > ssldump -i "${INTERFACE}" -P > > The -i specifies interface. The -P says, don't get promiscuous. > Hopefully it is in your upstream distribution. I find it in the > stock repositories for both OpenSUSE-13.2 and Ubuntu-14.04.3. > > Need to capture the textual output? Use, tee, maybe? > > Die, RC4, die [1]. > > -Martin > > [0] http://ssldump.sourceforge.net/ > [1] https://tools.ietf.org/html/rfc7465 > > -- > Martin A. Brown > http://linux-ip.net/ > _______________________________________________ > PLUG mailing list > PLUG@lists.pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > -- Michael Rasmussen, Portland Oregon Be Appropriate && Follow Your Curiosity The weak can never forgive. Forgiveness is the attribute of the strong. ~ Mahatma Gandhi _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
