Re: [389-users] Decrypting SSL for 389-ds

Gerrard Geldenhuis <Gerrard.Geldenhuis@xxxxxxxxxxx> · Fri, 12 Nov 2010 16:21:50 +0000

Hi David,
I created a new certificate datase with certutil, and I can view the private key fingerprints with certutil -d . -K but I can’t actually extract the private key from the certutil database. I can create a certificate sign request using certutil again. I thus have the private key but it is “hidden” from me.

Regards

From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of David Boreham
Sent: 12 November 2010 16:04
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Decrypting SSL for 389-ds

On 11/12/2010 8:59 AM, Gerrard Geldenhuis wrote: 
I am trying to decrypt SSL traffic capture with tcpdump in wireshark. A quick google turned up a page that said the NSS utils does not allow you to expose your private key. Is there different way or howto that anyone can share to help decrypt SSL encrypted traffic for 389?

I think you're confused about the private key : you had to have had the private key in order to configure it in the server.
So find the file, and feed that to Wireshark. Note that WS can not currently decrypt certain ciphers (and it won't simply tell you that it can't -- instead you waste days of your time before the penny drops). Hopefully your client is not negotiating one of those.

________________________________________________________________________

In order to protect our email recipients, Betfair Group use SkyScan from 

MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users