Analysizing MSMQ over HTTPS traffic using WireShark - not seeing POST_问答_开发者

Analysizing MSMQ over HTTPS traffic using WireShark - not seeing POST

开发者 https://www.devze.com 2023-03-15 15:32 出处：网络

I am troubleshooting an issue where MSMQ messages are stuck in an outbound queue (queue saying Waiting to Connect). In order to troubleshoot I am running WireShark to see exactly what is being pushed

I am troubleshooting an issue where MSMQ messages are stuck in an outbound queue (queue saying Waiting to Connect). In order to troubleshoot I am running WireShark to see exactly what is being pushed over the network interface.

I have run a WireShark trace and what I see seems to be a full SSLV3 handshake (generated from local MSMQ trying to connect to the server):

Client->Server - Client Hello

Server->Client - Server Hello

Client->Server - Client Key Exchange, Change Cipher Spec

Server->Client - Change Cipher Spec, Encrypted Handshake

After these messages I was expecting to see a POST message with the client trying to push a message to the server, and some sort of response from the server but there is nothing. All I see between the client and server after the last Change Cipher Spec is a set of [ACK] and [SYN] messages before the next SSLV3 handshake. The specific messages are:

Client->Server - TCP - [FIN, ACK]

Server->Client - TCP - [ACK]

Server->Client - TCP - [FIN, ACK]

Client->Server - TCP - [ACK]开发者_如何学Go

Client->Server - TCP - [SYN]

Server->Client - TCP - [SYN]

Client->Server - TCP - [ACK]

Then the handshake is repeated.

Should I not expect to see a POST message after the handshake? I know that MSMQ does an HTTP POST of the MSMQ messages when sent over HTTP so I was expecting this to show up as application data after the handshake.

Do I need to somehow configure WireShark to see these since it is over HTTPS?

Thanks

It's not clear from your question whether you've followed the documentation to decipher SSL using Wireshark (otherwise, you'll see the packets, but won't be able to look into their content). Note that to achieve this, you need the server's private key to be available to wireshark, otherwise anyone could decipher the SSL/TLS connection (and protecting against that is exactly the point of using SSL/TLS).

In addition, you may need to force your tools to use cipher suites that are considered less robust nowadays. Modern browsers, for example, tend to use Ephemeral Diffie-Hellman (DHE) cipher suites (unless explicitly configured not to). Wireshark won't be able to decipher an SSL connection that uses such a cipher suite.

The whole point of SSL encryption is that information sent over the wire is encrypted, therefore, not visible. Personally, I would be very concerned if you could packet sniff SSL traffic. You may be able to configure wireshark to show more information over SSL than you are currently seeing, but you will never see the actual contents, such as POST.