Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to enable TLS? #267

Open
cpyyyyyyyyy opened this issue Dec 21, 2023 · 9 comments
Open

How to enable TLS? #267

cpyyyyyyyyy opened this issue Dec 21, 2023 · 9 comments

Comments

@cpyyyyyyyyy
Copy link

I have modified nrf.yaml as follows, and then the NRF produces the following log [sbi] INFO: nghttp2_server() [https://172.22.0.12]:7777. I would like to know how to change the configuration of other NFs because currently, none of my NFs can register with the NRF.

logger:
    file: /open5gs/install/var/log/open5gs/nrf.log

sbi:
    server:
      no_tls: false
      key: /open5gs/install/etc/open5gs/tls/nrf.key
      cert: /open5gs/install/etc/open5gs/tls/nrf.crt  
    client:
      no_tls: true

parameter:

nrf:
    sbi:
      - addr: NRF_IP
        port: 7777

Thank you!
@herlesupreeth
Copy link
Owner

hmmm.. I have yet to adapt to latest open5gs release (v.2.7.0), which underwent a lot of changes in configuration. Will let you know once I add support for enabling TLS.

@cpyyyyyyyyy
Copy link
Author

Thank you! I'm using v2.6.6 now, if you have any suggestions you can provide them too! Thanks!!

@cpyyyyyyyyy
Copy link
Author

Hi! I changed the scheme to https successfully. However, where can I find the sslkey.log to decrypt TLS packet? Thanks!!

@herlesupreeth
Copy link
Owner

I changed the scheme to https successfully. However, where can I find the sslkey.log to decrypt TLS packet?

I am not sure which sslkey.log you are referring to.

@cpyyyyyyyyy
Copy link
Author

I changed the scheme to https successfully. However, where can I find the sslkey.log to decrypt TLS packet?

I am not sure which sslkey.log you are referring to.

I want to decrypt TLS to HTTP/2 packets in Wireshark, so I need to put the current generated "sslkey.log" in the (Pre)-Master-Secret log filename. Or is there another way to decrypt TLS packets?

@herlesupreeth
Copy link
Owner

Rather than that I believe you would have to provide .key file in below entry

image

The key you have to provide there is the one you mentioned in configuration file

key: /open5gs/install/etc/open5gs/tls/nrf.key

@cpyyyyyyyyy
Copy link
Author

I try it. However, the TLS packets didn't be decrypted into HTTP/2 packets. I think the reason is that the cipher suite is TLS_AES_256_GCM_SHA384, as shown in the figure. It needs a session key instead of a private key like free5GC.

upload

But I didn't find anything about the session key (e.g. sslkey.log). Please tell me if you have any suggestions. Thanks!!

@herlesupreeth
Copy link
Owner

Here is a perfect article about to how to decrypt TLS traffic - https://support.citrix.com/article/CTX135889/how-to-export-and-use-ssl-session-keys-to-decrypt-ssl-traces-without-sharing-the-ssl-private-key

Hope it helps

@cpyyyyyyyyy
Copy link
Author

It doesn't work, but I find the solution.
In the RSA keys list, put in the private key, then right-click on the client hello packet and select Decode As to add the TCP port as shown in the figure.

upload

Then you can decrypt the TLS packet into an HTTP/2 packet.

Thank you for your help!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@herlesupreeth @cpyyyyyyyyy