[SR-Users] Re: SSL key logger for Diffie-Hellman cipher

Joel Serrano via sr-users Tue, 05 Mar 2024 13:55:41 -0800

Hey Calvin,

Did you have to do anything special with OpenSSL and/or Kamailio to
get LD_PRELOAD to work and send the keys to voipmonitor?


I can see the env vars are loaded correctly, but I don't see any keys being
sent to the sniffer on port 1234 udp.

root@csbc03:~# ps -fe | grep kamailio
kamailio 2209068       1  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209069 2209068  0 16:33 ?        00:00:03 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209070 2209068  0 16:33 ?        00:00:03 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209071 2209068  0 16:33 ?        00:00:02 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209072 2209068  0 16:33 ?        00:00:03 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209073 2209068  0 16:33 ?        00:00:03 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209074 2209068  0 16:33 ?        00:00:03 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209075 2209068  0 16:33 ?        00:00:03 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209076 2209068  0 16:33 ?        00:00:03 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209077 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209078 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209080 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209082 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209083 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209084 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209086 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209087 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209088 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209089 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209090 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209091 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209092 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209093 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209094 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209095 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209096 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209097 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209098 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209099 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209100 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209101 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209102 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209103 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209104 2209068  0 16:33 ?        00:00:01 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209105 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209106 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209107 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209108 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209109 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209110 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209111 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209112 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209113 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209114 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209115 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209116 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209117 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209118 2209068  4 16:33 ?        00:00:15 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209119 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209120 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209121 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209122 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209123 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209124 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209125 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209126 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209127 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
root     2210501 2210460  0 16:38 pts/0    00:00:00 grep kamailio
root@csbc03:~#

root@csbc03:~# cat /proc/2209068/environ
LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binPIDFILE=/run/kamailio/kamailio.pidHOME=/run/kamailioLOGNAME=kamailioUSER=kamailioINVOCATION_ID=2ac0a49bba664c4fbe6c0f5fa7948e4eJOURNAL_STREAM=8:1641955621RUNTIME_DIRECTORY=/run/kamailioCFGFILE=/etc/kamailio/csbc.cfgSHM_MEMORY=512PKG_MEMORY=32RUN_KAMAILIO=yesGROUP=kamailioDUMP_CORE=yesSSLKEYLOG_UDP=10.2.1.19:1234LD_PRELOAD=/opt/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
/usr/lib/x86_64-linux-gnu/libssl.so.1.1
root@csbc03:~#

I tested using the command in voipmonitor docs and that seems to be ok:

root@csbc03:~# env SSLKEYLOG_UDP='10.2.1.19:1234'
LD_PRELOAD="/opt/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so" openssl

 * SSL KEYLOG : OK detect pointer to function SSL_new : 0x7f10d6adbd30
 * SSL KEYLOG : OK detect pointer to function SSL_CTX_set_keylog_callback :
0x7f10d6adcf00
 * SSL KEYLOG : log to : 10.2.1.19:1234
OpenSSL> quit
root@csbc03:~#

Does anyone have any tips on how to troubleshoot this? I know this might
not be directly related to Kamailio...

Thanks,
Joel.

On Wed, Feb 28, 2024 at 11:10 AM Joel Serrano <j...@textplus.com> wrote:

> I think your plan makes total sense.
>
> Thank you for the insight.
>
> Joel.
>
> On Tue, Feb 27, 2024 at 9:28 AM Calvin E. <calv...@gmail.com> wrote:
>
>> We've been using the siptrace module with Homer to do SIP-only captures,
>> but decided to use a different approach for VoIPmonitor as it affects more
>> than just Kamilio. We're also capturing dozens of FreeSWITCH and rtpengine
>> hosts, which are all using LD_PRELOAD to log their SIP TLS and SRTP DH
>> session keys. We wanted Kamailio and the other components to focus on their
>> real jobs (calling) and let a separate process handle the capturing. This
>> gives us insight/control over any load added by the capturing, and allows
>> us to see things closer to the network perspective rather than the
>> application. It's easy to add the VoIPmonitor sniffer to any host without
>> needing each application to natively support capturing.
>>
>> I'm sure the siptrace module would have similar results, it's just not
>> part of the "homogenous deployment" approach we're taking with this project.
>>
>> On Tue, Feb 27, 2024 at 1:29 AM Joel Serrano via sr-users <
>> sr-users@lists.kamailio.org> wrote:
>>
>>> Calvin,
>>>
>>> Voipmonitor-sniffer has support for Kamailio’s ‘siptrace’ module, but
>>> this is useful if your goal is to capture SIP over TLS traffic, I’m not
>>> sure if that is the reason you have been asked to capture the DH session
>>> keys…
>>>
>>> If that's the case, any reason you went with LD_PRELOAD method vs
>>> kamailio’s siptrace module? Using the later you still get the sip traffic
>>> without the need of messing with OpenSSL.
>>>
>>> Mind sharing your findings?
>>>
>>> Joel.
>>>
>>>
>>>
>>> On Tue, Feb 27, 2024 at 00:18 Bastian Triller via sr-users <
>>> sr-users@lists.kamailio.org> wrote:
>>>
>>>> Some weeks ago I learned about [1]. Didn't play with it yet though.
>>>>
>>>>
>>>> [1]
>>>> https://medium.com/@yunwei356/ebpf-practical-tutorial-capturing-ssl-tls-plain-text-using-uprobe-fccb010cfd64
>>>>
>>>> On Tue, Feb 27, 2024, 02:08 Calvin E. via sr-users <
>>>> sr-users@lists.kamailio.org> wrote:
>>>>
>>>>> This was done using the system-provided OpenSSL (Debian 12). It might
>>>>> work for tlsa, but I don't know how Kamilio would respond to LD_PRELOAD
>>>>> affecting one of its own modules.
>>>>>
>>>>> If your curious how it works, the code is here:
>>>>> https://github.com/voipmonitor/sniffer/blob/master/tools/ssl_keylogger/sslkeylog.cpp
>>>>>
>>>>> On Fri, Feb 2, 2024 at 1:23 AM Ihor Olkhovskyi via sr-users <
>>>>> sr-users@lists.kamailio.org> wrote:
>>>>>
>>>>>> Calvin,
>>>>>>
>>>>>> Thanks for sharing this, just a question, do you use system-provided
>>>>>> OpenSSL or tlsa ?
>>>>>>
>>>>>> Le mar. 30 janv. 2024 à 03:00, Calvin E. via sr-users <
>>>>>> sr-users@lists.kamailio.org> a écrit :
>>>>>>
>>>>>>> It turns out the system I was on really
>>>>>>> uses /lib/systemd/system/kamailio.service, despite /etc/init.d/kamailio
>>>>>>> also existing.
>>>>>>>
>>>>>>> I was able to make it work by following the Systemd process:
>>>>>>>
>>>>>>> mkdir /etc/default/kamailio.d/
>>>>>>> edit /etc/default/kamailio.d/voipmonitor
>>>>>>> add lines:
>>>>>>> SSLKEYLOG_UDP='127.0.0.1:1234'
>>>>>>> LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
>>>>>>> /usr/lib/x86_64-linux-gnu/libssl.so.3"
>>>>>>>
>>>>>>> The keys are captured by the VoIPmonitor sniffer and everything
>>>>>>> works as expected from there. I'd be happy to explain further to anyone
>>>>>>> interested in this setup.
>>>>>>>
>>>>>>> On Sun, Jan 28, 2024 at 3:20 AM Sergey Safarov <s.safa...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> You can check this PR
>>>>>>>> https://github.com/kamailio/kamailio/pull/2785
>>>>>>>>
>>>>>>>> On Fri, Jan 26, 2024 at 8:58 PM Calvin E. via sr-users <
>>>>>>>> sr-users@lists.kamailio.org> wrote:
>>>>>>>>
>>>>>>>>> I've been tasked to use LD_PRELOAD to log SSL keys for TLS
>>>>>>>>> connections using a Diffie-Hellman cipher. The first attempt did not 
>>>>>>>>> work,
>>>>>>>>> so I wanted to sanity check whether Kamailio's TLS support is built 
>>>>>>>>> in such
>>>>>>>>> a way that would defeat LD_PRELOAD.
>>>>>>>>>
>>>>>>>>> The instructions from the vendor are to update
>>>>>>>>> /etc/init.d/kamailio like this:
>>>>>>>>>
>>>>>>>>> env SSLKEYLOG_UDP='127.0.0.1:1234'
>>>>>>>>> LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
>>>>>>>>> /usr/lib/x86_64-linux-gnu/libssl.so.3" \
>>>>>>>>>     start-stop-daemon --start --quiet --pidfile $PIDFILE \
>>>>>>>>>                 --exec $DAEMON -- $OPTIONS || log_failure_msg "
>>>>>>>>> already running"
>>>>>>>>>
>>>>>>>>> Is there anything special in Kamailio (5.7.3 on Debian 12) that
>>>>>>>>> would prevent this from working? Not necessarily something to defeat a
>>>>>>>>> keylogger, but maybe the way tls.so gets loaded?
>>>>>>>>>
>>>>>>>>> The only discrepancy I've noticed is the vendor docs refer
>>>>>>>>> to libssl.so.3 not libssl.so.1, but the vendor said that should be OK.
>>>>>>>>>
>>>>>>>>> I'd love to hear from someone already using VoIPmonitor
>>>>>>>>> with Diffie-Hellman ciphers and Kamailio.
>>>>>>>>>
>>>>>>>>> __________________________________________________________
>>>>>>>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>>>>>>>> To unsubscribe send an email to sr-users-le...@lists.kamailio.org
>>>>>>>>> Important: keep the mailing list in the recipients, do not reply
>>>>>>>>> only to the sender!
>>>>>>>>> Edit mailing list options or unsubscribe:
>>>>>>>>>
>>>>>>>> __________________________________________________________
>>>>>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>>>>>> To unsubscribe send an email to sr-users-le...@lists.kamailio.org
>>>>>>> Important: keep the mailing list in the recipients, do not reply
>>>>>>> only to the sender!
>>>>>>> Edit mailing list options or unsubscribe:
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Best regards,
>>>>>> Ihor (Igor)
>>>>>> __________________________________________________________
>>>>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>>>>> To unsubscribe send an email to sr-users-le...@lists.kamailio.org
>>>>>> Important: keep the mailing list in the recipients, do not reply only
>>>>>> to the sender!
>>>>>> Edit mailing list options or unsubscribe:
>>>>>>
>>>>> __________________________________________________________
>>>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>>>> To unsubscribe send an email to sr-users-le...@lists.kamailio.org
>>>>> Important: keep the mailing list in the recipients, do not reply only
>>>>> to the sender!
>>>>> Edit mailing list options or unsubscribe:
>>>>>
>>>> __________________________________________________________
>>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>>> To unsubscribe send an email to sr-users-le...@lists.kamailio.org
>>>> Important: keep the mailing list in the recipients, do not reply only
>>>> to the sender!
>>>> Edit mailing list options or unsubscribe:
>>>>
>>> __________________________________________________________
>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>> To unsubscribe send an email to sr-users-le...@lists.kamailio.org
>>> Important: keep the mailing list in the recipients, do not reply only to
>>> the sender!
>>> Edit mailing list options or unsubscribe:
>>>
>>

__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-le...@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:

[SR-Users] Re: SSL key logger for Diffie-Hellman cipher

Reply via email to