Menu
I'm writing a desktop application and wish to give users ability to verify network traffic, so they know they are not being abused. My application establishes a TLS connection to servers using .NET's SslStream with the AuthenticateAsClient method. Wireshark users can decode TLS traffic using NSS key logs. I can see that both Firefox and Chrome have options to logging encryption keys. How can I do the same in my .NET application? i.e. How can I extract the session key from SslStream, programatically?
298
As of this writing, there is no way of doing that with dotnet's SslStream. Here's how to export the session keys using BouncyCastle:
internal static class BouncyCastleTls
{
public static Stream WrapWithTls(Stream stream)
{
var client = new MyTlsClient();
var tlsClientProtocol = new TlsClientProtocol(stream, new SecureRandom());
tlsClientProtocol.Connect(client);
return tlsClientProtocol.Stream;
}
}
internal sealed class MyTlsClient : DefaultTlsClient
{
public override TlsAuthentication GetAuthentication()
{
return new MyTlsAuthentication();
}
public override void NotifyHandshakeComplete()
{
var clientRandom = mContext.SecurityParameters.ClientRandom;
var masterSecret = mContext.SecurityParameters.MasterSecret;
Console.WriteLine("CLIENT_RANDOM {0} {1}", ToHex(clientRandom), ToHex(masterSecret));
}
private static string ToHex(byte[] bytes)
{
var sb = new StringBuilder(bytes.Length * 2);
for (var i = 0; i < bytes.Length; ++i)
sb.Append($"{bytes[i]:x2}");
return sb.ToString();
}
}
internal sealed class MyTlsAuthentication : TlsAuthentication
{
public void NotifyServerCertificate(Certificate serverCertificate)
{
}
public TlsCredentials GetClientCredentials(CertificateRequest certificateRequest)
{
return null;
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With