[SR-Users] Re: SSL key logger for Diffie-Hellman cipher

5 Mar 2024

Hey Calvin,

Did you have to do anything special with OpenSSL and/or Kamailio to
get LD_PRELOAD to work and send the keys to voipmonitor?

I can see the env vars are loaded correctly, but I don't see any keys being
sent to the sniffer on port 1234 udp.

root@csbc03:~# ps -fe | grep kamailio
kamailio 2209068       1  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209069 2209068  0 16:33 ?        00:00:03 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209070 2209068  0 16:33 ?        00:00:03 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209071 2209068  0 16:33 ?        00:00:02 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209072 2209068  0 16:33 ?        00:00:03 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209073 2209068  0 16:33 ?        00:00:03 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209074 2209068  0 16:33 ?        00:00:03 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209075 2209068  0 16:33 ?        00:00:03 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209076 2209068  0 16:33 ?        00:00:03 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209077 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209078 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209080 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209082 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209083 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209084 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209086 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209087 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209088 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209089 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209090 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209091 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209092 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209093 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209094 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209095 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209096 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209097 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209098 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209099 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209100 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209101 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209102 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209103 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209104 2209068  0 16:33 ?        00:00:01 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209105 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209106 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209107 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209108 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209109 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209110 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209111 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209112 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209113 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209114 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209115 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209116 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209117 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209118 2209068  4 16:33 ?        00:00:15 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209119 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209120 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209121 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209122 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209123 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209124 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209125 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209126 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
kamailio 2209127 2209068  0 16:33 ?        00:00:00 /usr/sbin/kamailio -P
/run/kamailio/kamailio.pid -f /etc/kamailio/csbc.cfg -m 512 -M 32
--atexit=no
root     2210501 2210460  0 16:38 pts/0    00:00:00 grep kamailio
root@csbc03:~#

root@csbc03:~# cat /proc/2209068/environ
LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binPIDFILE=/run/kamailio/kamailio.pidHOME=/run/kamailioLOGNAME=kamailioUSER=kamailioINVOCATION_ID=2ac0a49bba664c4fbe6c0f5fa7948e4eJOURNAL_STREAM=8:1641955621RUNTIME_DIRECTORY=/run/kamailioCFGFILE=/etc/kamailio/csbc.cfgSHM_MEMORY=512PKG_MEMORY=32RUN_KAMAILIO=yesGROUP=kamailioDUMP_CORE=yesSSLKEYLOG_UDP=10.2.1.19:1234LD_PRELOAD=/opt/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
/usr/lib/x86_64-linux-gnu/libssl.so.1.1
root@csbc03:~#

I tested using the command in voipmonitor docs and that seems to be ok:

root@csbc03:~# env SSLKEYLOG_UDP='10.2.1.19:1234'
LD_PRELOAD="/opt/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so" openssl

 * SSL KEYLOG : OK detect pointer to function SSL_new : 0x7f10d6adbd30
 * SSL KEYLOG : OK detect pointer to function SSL_CTX_set_keylog_callback :
0x7f10d6adcf00
 * SSL KEYLOG : log to : 10.2.1.19:1234
OpenSSL> quit
root@csbc03:~#

Does anyone have any tips on how to troubleshoot this? I know this might
not be directly related to Kamailio...

Thanks,
Joel.

On Wed, Feb 28, 2024 at 11:10 AM Joel Serrano &lt;joel(a)textplus.com&gt; wrote:

...
  I think your plan makes total sense.

 Thank you for the insight.

 Joel.

 On Tue, Feb 27, 2024 at 9:28 AM Calvin E. &lt;calvine(a)gmail.com&gt; wrote:

> We've been using the siptrace module with Homer to do SIP-only captures,
> but decided to use a different approach for VoIPmonitor as it affects more
> than just Kamilio. We're also capturing dozens of FreeSWITCH and rtpengine
> hosts, which are all using LD_PRELOAD to log their SIP TLS and SRTP DH
> session keys. We wanted Kamailio and the other components to focus on their
> real jobs (calling) and let a separate process handle the capturing. This
> gives us insight/control over any load added by the capturing, and allows
> us to see things closer to the network perspective rather than the
> application. It's easy to add the VoIPmonitor sniffer to any host without
> needing each application to natively support capturing.
>
> I'm sure the siptrace module would have similar results, it's just not
> part of the "homogenous deployment" approach we're taking with this
project.
>
> On Tue, Feb 27, 2024 at 1:29 AM Joel Serrano via sr-users <
> sr-users(a)lists.kamailio.org&gt; wrote:
>
>> Calvin,
>>
>> Voipmonitor-sniffer has support for Kamailio’s ‘siptrace’ module, but
>> this is useful if your goal is to capture SIP over TLS traffic, I’m not
>> sure if that is the reason you have been asked to capture the DH session
>> keys…
>>
>> If that's the case, any reason you went with LD_PRELOAD method vs
>> kamailio’s siptrace module? Using the later you still get the sip traffic
>> without the need of messing with OpenSSL.
>>
>> Mind sharing your findings?
>>
>> Joel.
>>
>>
>>
>> On Tue, Feb 27, 2024 at 00:18 Bastian Triller via sr-users <
>> sr-users(a)lists.kamailio.org&gt; wrote:
>>
>>> Some weeks ago I learned about [1]. Didn't play with it yet though.
>>>
>>>
>>> [1]
>>>
https://medium.com/@yunwei356/ebpf-practical-tutorial-capturing-ssl-tls-pla…
>>>
>>> On Tue, Feb 27, 2024, 02:08 Calvin E. via sr-users <
>>> sr-users(a)lists.kamailio.org&gt; wrote:
>>>
>>>> This was done using the system-provided OpenSSL (Debian 12). It might
>>>> work for tlsa, but I don't know how Kamilio would respond to
LD_PRELOAD
>>>> affecting one of its own modules.
>>>>
>>>> If your curious how it works, the code is here:
>>>>
https://github.com/voipmonitor/sniffer/blob/master/tools/ssl_keylogger/sslk…
>>>>
>>>> On Fri, Feb 2, 2024 at 1:23 AM Ihor Olkhovskyi via sr-users <
>>>> sr-users(a)lists.kamailio.org&gt; wrote:
>>>>
>>>>> Calvin,
>>>>>
>>>>> Thanks for sharing this, just a question, do you use system-provided
>>>>> OpenSSL or tlsa ?
>>>>>
>>>>> Le mar. 30 janv. 2024 à 03:00, Calvin E. via sr-users <
>>>>> sr-users(a)lists.kamailio.org&gt; a écrit :
>>>>>
>>>>>> It turns out the system I was on really
>>>>>> uses /lib/systemd/system/kamailio.service, despite
/etc/init.d/kamailio
>>>>>> also existing.
>>>>>>
>>>>>> I was able to make it work by following the Systemd process:
>>>>>>
>>>>>> mkdir /etc/default/kamailio.d/
>>>>>> edit /etc/default/kamailio.d/voipmonitor
>>>>>> add lines:
>>>>>> SSLKEYLOG_UDP='127.0.0.1:1234'
>>>>>>
LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
>>>>>> /usr/lib/x86_64-linux-gnu/libssl.so.3"
>>>>>>
>>>>>> The keys are captured by the VoIPmonitor sniffer and everything
>>>>>> works as expected from there. I'd be happy to explain further
to anyone
>>>>>> interested in this setup.
>>>>>>
>>>>>> On Sun, Jan 28, 2024 at 3:20 AM Sergey Safarov
&lt;s.safarov(a)gmail.com&gt;
>>>>>> wrote:
>>>>>>
>>>>>>> You can check this PR
>>>>>>> https://github.com/kamailio/kamailio/pull/2785
>>>>>>>
>>>>>>> On Fri, Jan 26, 2024 at 8:58 PM Calvin E. via sr-users <
>>>>>>> sr-users(a)lists.kamailio.org&gt; wrote:
>>>>>>>
>>>>>>>> I've been tasked to use LD_PRELOAD to log SSL keys
for TLS
>>>>>>>> connections using a Diffie-Hellman cipher. The first
attempt did not work,
>>>>>>>> so I wanted to sanity check whether Kamailio's TLS
support is built in such
>>>>>>>> a way that would defeat LD_PRELOAD.
>>>>>>>>
>>>>>>>> The instructions from the vendor are to update
>>>>>>>> /etc/init.d/kamailio like this:
>>>>>>>>
>>>>>>>> env SSLKEYLOG_UDP='127.0.0.1:1234'
>>>>>>>>
LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so
>>>>>>>> /usr/lib/x86_64-linux-gnu/libssl.so.3" \
>>>>>>>>     start-stop-daemon --start --quiet --pidfile $PIDFILE
\
>>>>>>>>                 --exec $DAEMON -- $OPTIONS ||
log_failure_msg "
>>>>>>>> already running"
>>>>>>>>
>>>>>>>> Is there anything special in Kamailio (5.7.3 on Debian
12) that
>>>>>>>> would prevent this from working? Not necessarily
something to defeat a
>>>>>>>> keylogger, but maybe the way tls.so gets loaded?
>>>>>>>>
>>>>>>>> The only discrepancy I've noticed is the vendor docs
refer
>>>>>>>> to libssl.so.3 not libssl.so.1, but the vendor said that
should be OK.
>>>>>>>>
>>>>>>>> I'd love to hear from someone already using
VoIPmonitor
>>>>>>>> with Diffie-Hellman ciphers and Kamailio.
>>>>>>>>
>>>>>>>>
__________________________________________________________
>>>>>>>> Kamailio - Users Mailing List - Non Commercial
Discussions
>>>>>>>> To unsubscribe send an email to
sr-users-leave(a)lists.kamailio.org
>>>>>>>> Important: keep the mailing list in the recipients, do
not reply
>>>>>>>> only to the sender!
>>>>>>>> Edit mailing list options or unsubscribe:
>>>>>>>>
>>>>>>> __________________________________________________________
>>>>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>>>>> To unsubscribe send an email to
sr-users-leave(a)lists.kamailio.org
>>>>>> Important: keep the mailing list in the recipients, do not reply
>>>>>> only to the sender!
>>>>>> Edit mailing list options or unsubscribe:
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Best regards,
>>>>> Ihor (Igor)
>>>>> __________________________________________________________
>>>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>>>> To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
>>>>> Important: keep the mailing list in the recipients, do not reply
only
>>>>> to the sender!
>>>>> Edit mailing list options or unsubscribe:
>>>>>
>>>> __________________________________________________________
>>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>>> To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
>>>> Important: keep the mailing list in the recipients, do not reply only
>>>> to the sender!
>>>> Edit mailing list options or unsubscribe:
>>>>
>>> __________________________________________________________
>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>> To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
>>> Important: keep the mailing list in the recipients, do not reply only
>>> to the sender!
>>> Edit mailing list options or unsubscribe:
>>>
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>> To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
>> Important: keep the mailing list in the recipients, do not reply only to
>> the sender!
>> Edit mailing list options or unsubscribe:
>>
> 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

[SR-Users] Re: SSL key logger for Diffie-Hellman cipher