none
Message Analyzer decrypting LDAPS traffic? RRS feed

  • Question

  • Hello,

    I've used Message Analyzer in the past to decrypt HTTPS traffic after importing the certificate used by the web server and it was a tremendous improvement over Netmon & NMDecrypt.    I'm looking at a trace I took of LDAPS traffic (TCP.port==636) and the traffic after the SSL handshake Message Analyzer is not decrypting the traffic.   

    Is the decryption sub-routines in Message Analyzer only supposed to work with HTTPS traffic, or should we be expecting to see success on LDAPS traffic as well?

    Thank you,

    John

    Tuesday, August 8, 2017 10:11 PM

All replies

  • Dragging this one up. I'm having the same issue. I have it all set up, but the decryption table just says "The cipher suite is unsupported."  I've tried several cipher suites, including non-PFS suites (like TLS_RSA_WITH_RC4_128_MD5) and all I get is that error. The connections themselves work.
    Tuesday, April 2, 2019 1:46 PM
  • Hello Jordan,

    The function GetSelectedCipherSuiteInfo in "\Program Files\Microsoft Message Analyzer\OPNAndConfiguration\OPNs\CoreNetworking\TLS.opn" determines the supported cipher suites (this is a plain text source file containing Open Protocol Notation information); .opn files can be viewed in Message Analyzer with syntax highlighting (and in NotePad too).

    The message "The cipher suite is unsupported" is displayed if this function returns null. The supported cipher suites (excluding null cipher suites) are:

    TLS_RSA_WITH_RC4_128_MD5

    TLS_RSA_WITH_RC4_128_SHA

    TLS_RSA_WITH_3DES_EDE_CBC_SHA

    TLS_RSA_WITH_AES_128_CBC_SHA

    TLS_RSA_WITH_AES_256_CBC_SHA

    TLS_RSA_WITH_AES_128_CBC_SHA256

    TLS_RSA_WITH_AES_256_CBC_SHA256

    If your connection did negotiate TLS_RSA_WITH_AES_256_CBC_SHA256, can you make the trace file available so that we can investigate this?

    If the LDAP library that is being used is the Microsoft implementation (Wldap32.dll), then it would be easier to use the Microsoft-Windows-LDAP-Client ETW provider to capture the LDAP exchanges. Atypically for an ETW provider, an registry entry is needed to get the most detailed trace (the KB article describing the process is no longer available; in short a key with the executable name should be created under HKLM\System\CurrentControlSet\Services\ldap\tracing\, for example HKLM\System\CurrentControlSet\Services\ldap\tracing\ldp.exe).

    Depending on the authentication mechanism used by the LDAP connection and the parameters negotiated, the LDAP data might be encrypted twice: once with TLS because of the use of LDAPS and once with SASL. Even in this case, the ETW trace would show the LDAP plaintext.

    Gary


    Wednesday, April 3, 2019 10:22 AM
  • Thanks for the quick reply. I just saw it - it may not have sent a notification since you did not quote a post of mine.

    I will try to re-create the failure to capture and share the trace file.

    Friday, August 30, 2019 4:37 PM