This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decoding ssl traffic

0

I am new to wireshare. I am using wireshark 1.4.10. I am trying to capture traffic from a Smalltalk app to a mainframe. I have captured the traffic several times using a http port. Do to security risks the company has shut down the http port and I am trying to use the https port. I have capture the traffic on the https port several times, but I cannot get the decryption of the data to work. I have tried to follow the manual, but it is not working for me. I understand the manual to say that I need the private key to do the decryption. Is this the case? Is this the only way to do the decryption?

Thanks,

Chris

asked 25 Jul '12, 14:54

chrisdwyer97's gravatar image

chrisdwyer97
1111
accept rate: 0%


One Answer:

0

Yes, you do need the private key (which resides on the server) to do decryption. This is because in a normal RSA SSL handshake, the information needed to calculate the key that is used for encrypting the traffic is sent by the client to the server, but encrypted with the public key from the server certificate. This means the information can only be derived by using the corresponding private key.

Then things get a little more complicated as the server might select a DiffieHellman based cipher. In this case, the client and server use randomly generated key-pairs to exchange the information needed to calculate the session key. In this case you can't do decryption with Wireshark.

Recently there have been added some options to do decryption without supplying the private key, but they all involve supplying the (pre)master secret of each ssl session. Which you normally don't have access to. But they can be obtained by:

  • Compiling your own version of Firefox or Chrome with a debug setting that will log the SSL session keys.
  • Using "openssl s_client" to communicate to the server and use the debug info on screen
  • Having someone with access to the private key use it to decrypt the sessions and export the SSL session keys to a file, which can then be used by you

For more information about SSL troubleshooting, have a look at the presentation I gave at Sharkfest'12 :-)

answered 26 Jul '12, 01:09

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%