Sometimes I want to see what Candlepin is really doing, so I use Wireshark to sniff the packets. With just the default settings, this isn’t too useful because everything is encrypted; however, Wireshark can dissect SSL and show you the HTTP underneath.
WARNING: Decrypting SSL/TLS traffic that is using a cipher suite with
Diffie-Hellman Ephemeral key exchange will not work.1 If your decryption
isn’t working, go to the ServerHello section of the traffic and look at the
Cipher Suite. If it has the string DHE
in it, you’re using Diffie-Hellman
Ephemeral. You need to either change the cipher suites supported by the
server (the SSLCipherSuite
directive in Apache2 and controlled in the
Connector
element in Tomcat’s server.xml
) or set the client to not tell
the server that it supports any DHE suites. Keep in mind that deploying of
candlepin will recreate server.xml
file by this Python script:
server/bin/update-server-xml.py
.
Here’s how:
Install wireshark and add yourself to the wireshark group so you don’t have to run it as root all the time.
$ sudo yum install wireshark-gnome
$ sudo usermod -a -G wireshark `whoami`
Log in to the new group (so you don’t have to log out and back in again).
$ newgrp wireshark
Make sure you’re in the group.
$ groups
... wireshark ...
Go to Edit -> Preferences. Click Protocols. Go to SSL. Enter a value for SSL debug file.3 (I use /tmp/ssl.debug). Click RSA keys list. Click new and add the following entry for your localhost:
IP address: 127.0.0.1
Port: 8443
Protocol: http
Key File: /etc/candlepin/certs/candlepin-ca.key
Now add another entry for your externally facing IP. (Run ifconfig em1 if you don’t know it)
IP address: YOUR_IP_HERE
Port: 8443
Protocol: http
Key File: /etc/candlepin/certs/candlepin-ca.key
https://ask.wireshark.org/questions/7886/ssl-decrypting-problem ↩
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite ↩
Used to be required because of https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6033 but now it’s just good practice. ↩
http://www.wireshark.org/lists/wireshark-dev/200805/msg00067.html ↩
http://www.wireshark.org/lists/wireshark-dev/201202/msg00071.html ↩