Decrypting SSL/TLS Visitors with Wireshark and ProxySQL

On this information, we’ll stroll you thru the method of decrypting SSL/TLS visitors to and from ProxySQL utilizing Wireshark. By enabling the SSLKEYLOG characteristic in ProxySQL and configuring Wireshark to make use of the SSL key log file, it is possible for you to to view the decrypted visitors for debugging and evaluation functions.

Stipulations

Earlier than we start, be sure you have the next:

• ProxySQL put in and working.
• Wireshark put in in your machine.

Enabling SSLKEYLOG in ProxySQL

You may allow the SSLKEYLOG characteristic in ProxySQL both by modifying the configuration file or through runtime queries.

Enabling SSLKEYLOG through Configuration File

1. Open the ProxySQL configuration file (sometimes proxysql.cnf) in a textual content editor.

2. Add or modify the next line to allow SSLKEYLOG assist:

   admin-ssl_keylog_file = 
   

   Substitute ‘’ with absolutely the path or relative path (see Understanding Absolute and Relative Paths) the place you need to retailer the SSL key log file. If you wish to disable the SSLKEYLOG characteristic, depart this variable empty.

3. Save the configuration file and restart ProxySQL for the adjustments to take impact.

Enabling SSLKEYLOG through Runtime Queries

1. Connect with the ProxySQL administration interface utilizing your most popular MySQL consumer.

2. Execute the next runtime question to allow the SSLKEYLOG characteristic:

   SET admin-ssl_keylog_file="";
   LOAD ADMIN VARIABLES TO RUNTIME;
   

3. Substitute ‘’ with absolutely the path or relative path (see Understanding Absolute and Relative Paths) the place you need to retailer the SSL key log file. If you wish to disable the SSLKEYLOG characteristic, set the worth to an empty string.

Capturing and Decrypting SSL/TLS Visitors

Capturing SSL/TLS Visitors

1. Open Wireshark in your machine.
2. Begin a brand new seize in Wireshark by clicking on the Seize > Choices button (or press ‘Ctrl + Ok’).
3. Within the seize choices, choose the community interface the place ProxySQL’s visitors flows by means of and click on Begin.
4. Carry out the actions that generate SSL/TLS visitors to and from ProxySQL that you just need to decrypt (e.g., sending question to backend server).
5. After you have captured the specified visitors, cease the seize in Wireshark.
6. Within the Wireshark most important window, you need to see the captured packets.

Decrypting SSL/TLS Visitors

To decrypt the SSL/TLS visitors, Wireshark will use the SSL key log file generated by ProxySQL.

1. Go to Edit > Preferences (or press ‘Ctrl + Shift + P’).
2. Within the Preferences window, choose Protocols > TLS.
3. Click on on the (Pre)-Grasp-Secret log filename browse button.
4. Within the file dialog, navigate to the situation the place you specified the SSL key log file in ProxySQL’s configuration or runtime question.
5. Choose the SSL key log file and click on Open.
6. Click on OK to shut the Preferences window.

Analyzing Decrypted Visitors

Now that you’ve efficiently decrypted the SSL/TLS visitors, you’ll be able to analyze it in Wireshark:

Decrypting SSL/TLS Visitors

1. Choose a packet that comprises SSL/TLS visitors.
2. Develop the Transport Layer Safety part within the packet particulars.
3. It’s best to see decrypted info reminiscent of Consumer Good day, Server Good day, Utility Knowledge, and so forth.
4. Analyze the decrypted info to troubleshoot points or collect insights concerning the SSL/TLS communication.

Decoding SSL/TLS Visitors as MySQL Protocol

1. Choose a packet that comprises SSL/TLS visitors.
2. Proper-click on the packet and select Decode As.
3. Within the Decode As dialog, choose + button.
4. Within the Present column, find the row with the TCP protocol and the suitable supply or vacation spot port (e.g., 13306 for MySQL).
5. Within the Decode As column, choose MySQL from the dropdown menu.
6. Click on OK to use the decoding adjustments.
7. Wireshark will now interpret the chosen packets as MySQL visitors, permitting you to view the decrypted MySQL protocol info.
8. Develop the Transport Layer Safety part within the packet particulars.
9. It’s best to see decrypted info reminiscent of Consumer Good day, Server Good day, Utility Knowledge, and so forth., together with the MySQL protocol-specific particulars.
10. Analyze the decrypted info to troubleshoot points or collect insights concerning the MySQL communication.

Congratulations! You’ve efficiently configured Wireshark to decrypt SSL/TLS visitors to and from ProxySQL utilizing the SSLKEYLOG characteristic. This lets you acquire deeper visibility into the encrypted visitors for debugging and evaluation functions.

Understanding Absolute and Relative Paths

When specifying the ‘admin-ssl_keylog_file’ variable, you could have two choices:

• Absolute Path: Should you present an absolute path, ProxySQL will use that actual path to create the SSL key log file. For instance: ‘/var/log/sslkeylog.txt’
• Relative Path: Should you present a relative path, ProxySQL will robotically convert it to an absolute path by prefixing it with the ProxySQL information listing path. For instance: ‘sslkeylog.txt’ shall be transformed to ‘/sslkeylog.txt’. The ‘’ represents the ProxySQL information listing path, which is often set within the ProxySQL configuration.