I am new to wireshare. I am using wireshark 1.4.10. I am trying to capture traffic from a Smalltalk app to a mainframe. I have captured the traffic several times using a http port. Do to security risks the company has shut down the http port and I am trying to use the https port. I have capture the traffic on the https port several times, but I cannot get the decryption of the data to work. I have tried to follow the manual, but it is not working for me. I understand the manual to say that I need the private key to do the decryption. Is this the case? Is this the only way to do the decryption?
asked 25 Jul '12, 14:54
Yes, you do need the private key (which resides on the server) to do decryption. This is because in a normal RSA SSL handshake, the information needed to calculate the key that is used for encrypting the traffic is sent by the client to the server, but encrypted with the public key from the server certificate. This means the information can only be derived by using the corresponding private key.
Then things get a little more complicated as the server might select a DiffieHellman based cipher. In this case, the client and server use randomly generated key-pairs to exchange the information needed to calculate the session key. In this case you can't do decryption with Wireshark.
Recently there have been added some options to do decryption without supplying the private key, but they all involve supplying the (pre)master secret of each ssl session. Which you normally don't have access to. But they can be obtained by:
For more information about SSL troubleshooting, have a look at the presentation I gave at Sharkfest'12 :-)
answered 26 Jul '12, 01:09