cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Need to Decipher SSL Packets Using DNA 12.4

genesius_jarom1
Organizer

Hello,

I opened a ticket with support for the following issue.

We use TTA 12.x(?), but it does not support SSL decryption of captured packets from a PC running IE 11. We upgraded to DNA 12.4, but still have the same issue.

Here is the problem. We have a major application that several agencies use. Many, not all users, are experiencing FAE's (fatal application error) when they use certain functions of this application. The application uses SSL/TLS from the PC to the front end web server. Using AppVantage agent on one of the PC's having issues, we captured packets. However, because of the SSL/TLS, we have only TCP packets (unencrypted SSL). I added SSL keys to the TTA; set BDC to Yes on the AppVantage agent install; and enabled the Compuware InceptorEventHandler Class in IE's Manage Add-ons. The traffic remained encrypted. TTA's BDC (Browser Data Collector agent) does not work with IE 11.

We upgraded to DNA 12.4, but I was told the following by Compuware tech support the following.

NOTE: Compuware was helpful; however, DNA 12.4 does not support IE 11 and BDC. I am asking the DCRUM user community for possible work-arounds.

===================================

I’m afraid we don’t have IE 11 support for BDC capture (it is a known
issue) and the upgrade to the latest TTA/DNA version available won’t
help much. There were some improvements in the range of SSL key formats
recognized by DNA, but that is likely not the case.

To use BDC, please downgrade Internet Explorer to version 10. It is
possible that disabling TLS 1.2 in IE 11 could help as well, but it is
outside of our testing regime. You can disable TLS 1.2 at Internet
Options > Advanced > Security > Use TLS 1.2.

Additional considerations:

  • make sure Protected Mode/Enhanced Protected Mode are disabled before running capture with BDC
  • Third-party browser extensions must be enabled
  • SSL server address/port/key path must be set before importing the
    trace (URLs are decrypted at import time); please double-check
    server/port correctness; make sure DNA has permissions to read the key
    (can access the file)
  • BDC only works with 32-bit versions of Internet Explorer (IE 64-bit is rather uncommon, though)

Please share a Thread Analysis view screen for the trace if the decryption still won't work.

===================================

The BDC browser plugin was never designed to run in the 64-bit IE as
it hadn't been available or recommended back then, so it won't likely
even show up in the installed plugins list.

A major BDC engine upgrade has been considered for years, but since
Microsoft is already planning to drop support for IE and replace it with
another browser (Edge) with a different plugin architecture, the
decision has not been made so far.

As I mentioned, you could try to disable TLS 1.2 in IE 11 and see if
decryption works. The decryption failure is most likely due to IE 11
enhancements to TLS 1.2, and not IE 11 itself. All the other
requirements must also be met, such as the Enhanced Protected Mode etc. I
am going to test BDC with IE 11 in our lab, but that will take some
more time.

===================================

Just thinking. Is it possible to "generate" traffic, using the capture I
have from the IE 11 PC, and pump it through the AMD and decrypting the
packet there? I have a question. If the AMD decrypts SSL/TLS why can't DNA? Or is the AMD decrypting only SRC/DST IP's, MAC's, etc., but not the application payload?

Is anyone having these save issues? If so, how have you resolved?

Thanks and God bless,

Genesius

PS I have to run to another issue, so if you need any clarification, please feel free to ask.

2 REPLIES 2

ulf_thornander3
Inactive

That was a long post 🙂

Have you tried using Wireshark?

https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

If you succeed you can then export the traffic unencrypted to see it in your favourite packet tool (TTA)

genesius_jarom1
Organizer

Thanks @ulf thornander

I saw this site the other day and only did a quick read through, looking for if it worked with IE.

"has (someone) figured out how to decrypt SSL traffic from IE or Windows."

I am going to check out the suggested tools: SSLSpoof, SSLSplit, mitmproxy, or Fiddler.

Thanks and God bless,

Genesius