This is our old Q&A Site. Please post any new questions and answers at

Decrypt SSL traffic problem because of DHE Cipher


I read a lot about Wireshark and decrypting SSL using the private key. I read most of the post SYN-bit wrote, and saw his presentations he did @Sharkfest.

I just want to know, how can I create a SSL certificate without the DHE cipher in it? I went through lots of doc. and man pages, but still can't figure it out.

I use wireshark 1.6.6, and am unable to decrypt the traffic I capture.


asked 18 Aug '12, 15:27

sha8e's gravatar image

accept rate: 0%

In the files that you sent me, the server has address and not, so you need to fill in in the SSL preferences to make it work...

permanent link

answered 19 Aug '12, 05:06

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Man I've been working since yesterday, I never ever noticed that. This really makes me sad :(

I'm very sorry I took your precious time to solve a dumb case like this.

BTW, why was Wireshark unable to capture the password sent between the client and server? I can see the response from the php application in the captures, but I'm unable to see the username/password I sent to login!

Thank you very much SYN-bit.

(19 Aug '12, 05:22) sha8e

t is not the certificate that has a DHE cipher in it. The client presents a list of ciphers it supports and then the server choses one of those ciphers that it supports. The way to make sure that a non-DH cipher is used, you can either limit the supported ciphers on the client or limit the supported ciphers on the server.

If you use Firefox, you can type "about:config" in the location bar and then do a search on "dh" and disable all DH ciphers. On the server part it depends on your server type. In Apache you can use something like "SSLCipherSuite ALL:!DH".

permanent link

answered 18 Aug '12, 16:10

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Thanks for your quick reply. I disabled all that as you told me. Still I'm unable to do the test.

What I did is the following: openssl req -new -x509 -out server.pem -nodes -keyout privkey.pem

Copied them to /etc/ssl/private & chmod 400 them.

Configured Apache2 with the following: SSLCertificateFile /etc/ssl/private/privkey.pem SSLCertificateKeyFile /etc/ssl/private/server.pem

All other SSL Apache directives are commented, except the SSLEngine is on.

Now I ran Wireshark and connected to the website (locally server). I first got this notification from firefox that the certificate is self-signed and requires an exception from me to be added. I did that, and the website opened.

All that traffic was captured in Wireshark. I added the following to the ~/.wireshark/ssl_keys "server.local","443","http","/etc/ssl/private/server.pem"

All other configurations you talked about in other posts was done too, such as debug and restarting Wireshark.

But till now there is no decrypted traffic seen in Wireshark. What do you think is the problem?

I appreciate all the time and efforts you do in helping me and others.


(18 Aug '12, 16:27) sha8e

(I converted your answer to a comment, please reread the FAQ :-))

All that traffic was captured in Wireshark. I added the following to the ~/.wireshark/ssl_keys "server.local","443","http","/etc/ssl/private/server.pem"

I have not tried myself, but I believe there is no name resolution in the SSL key settings, so you need to configure the IP address of your local server. Also you need to use the private key instead of the certificate. You will have an entry like this:

(19 Aug '12, 00:24) SYN-bit ♦♦

I had to add my last reply as a reply because of the chars. left in comments :(

That was a typo SYN-bit, my config is indeed like this: "server.local","443","http","/etc/ssl/private/privkey.pem"

I also have server.local configured in my /etc/hosts: server.local

Is that what you mean? And do you think the problem is with Firefox? I'll give it a try using the openssl client.

(19 Aug '12, 02:57) sha8e

I did the following:

[email protected]:~# tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:,443,http,/etc/apache2/ssl/privkey.pem" -o "ssl.debug_file: /root/wireshark-log" -i lo -R "tcp.port == 443" Running as user "root" and group "root". This could be dangerous. Capturing on lo

And the output is below in next comment :(

(19 Aug '12, 04:15) sha8e

Looking at the source code, hostnames are indeed supported. But only is name resolving is enabled in the settings. Could you try with a hardcoded IP address ( in the SSL key list instead of the hostname?

Are you able to share your tracefile & key? That would make helping you a lot easier :-)

(19 Aug '12, 04:16) SYN-bit ♦♦

0.000000 -> TCP 74 58959 > https [SYN] Seq=0 Win=32792 Len=0 MSS=16396 SACK_PERM=1 TSval=187391094 TSecr=0 WS=16 0.000010 -> TCP 74 https > 58959 [SYN, ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=16396 SACK_PERM=1 TSval=187391094 TSecr=187391094 WS=16 0.000017 -> TCP 66 58959 > https [ACK] Seq=1 Ack=1 Win=32800 Len=0 TSval=187391094 TSecr=187391094 0.000216 -> SSL 155 Client Hello

(19 Aug '12, 04:17) sha8e

0.000017 -> TCP 66 58959 > https [ACK] Seq=1 Ack=1 Win=32800 Len=0 TSval=187391094 TSecr=187391094 0.000216 -> SSL 155 Client Hello 0.000231 -> TCP 66 https > 58959 [ACK] Seq=1 Ack=90 Win=32768 Len=0 TSval=187391094 TSecr=187391094 0.000553 -> SSLv3 1116 Server Hello, Certificate, Server Hello Done 0.000594 -> TCP 66 58959 > https [ACK] Seq=90 Ack=1051 Win=34896 Len=0 TSval=187391094 TSecr=187391094

(19 Aug '12, 04:17) sha8e

0.001393 -> SSLv3 294 Client Key Exchange, Change Cipher Spec, Finished 0.002275 -> SSLv3 157 Change Cipher Spec, Finished 0.009225 -> HTTP 156 GET / HTTP/1.1 0.009384 -> HTTP 508 HTTP/1.1 400 Bad Request (text/html) 0.009448 -> SSLv3 103 Alert (Level: Warning, Description: Close Notify)

(19 Aug '12, 04:17) sha8e

0.009448 -> SSLv3 103 Alert (Level: Warning, Description: Close Notify) 0.009504 -> TCP 66 https > 58959 [FIN, ACK] Seq=1621 Ack=408 Win=33840 Len=0 TSval=187391096 TSecr=187391096 0.009957 -> SSLv3 103 Alert (Level: Warning, Description: Close Notify) 0.010013 -> TCP 66 58959 > https [FIN, ACK] Seq=445 Ack=1622 Win=36992 Len=0 TSval=187391096 TSecr=187391096 0.010036 -> TCP 66 https > 58959 [ACK] Seq=1622 Ack=446 Win=33840 Len=0 TSval=187391096 TSecr=187391096

(19 Aug '12, 04:18) sha8e

I also did the hardcoded IP but nothing new :(

Sure, I sent you all the files.

Thank you SYN-bit.

(19 Aug '12, 04:43) sha8e

Well, the above output shows that you did indeed decrypt the traffic:

0.001393 -> SSLv3 294 Client Key Exchange, Change Cipher Spec, Finished

The Finished handshake message would look like "Encrypted Handshake Message" if decryption did not work.

0.002275 -> SSLv3 157 Change Cipher Spec, Finished 0.009225 -> HTTP 156 GET / HTTP/1.1 0.009384 -> HTTP 508 HTTP/1.1 400 Bad Request (text/html)

And here is the HTTP data from within the SSL stream.

(19 Aug '12, 04:59) SYN-bit ♦♦
showing 5 of 11 show 6 more comments

And here is the openssl client test:

[email protected]:~# (echo GET / HTTP/1.1; echo ; sleep 1) | openssl s_client -ssl3 -connect -cert server.pem -key privkey.pem 
depth=0 /C=JP/ST=Hiroshima/L=Hiroshima/O=SHA8E/OU=Traffic Analysis/CN=server.local/[email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=JP/ST=Hiroshima/L=Hiroshima/O=SHA8E/OU=Traffic Analysis/CN=server.local/[email protected]
verify return:1
Certificate chain
 0 s:/C=JP/ST=Hiroshima/L=Hiroshima/O=SHA8E/OU=Traffic Analysis/CN=server.local/[email protected]
   i:/C=JP/ST=Hiroshima/L=Hiroshima/O=SHA8E/OU=Traffic Analysis/CN=server.local/[email protected]
Server certificate
subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=SHA8E/OU=Traffic Analysis/CN=server.local/[email protected]
issuer=/C=JP/ST=Hiroshima/L=Hiroshima/O=SHA8E/OU=Traffic Analysis/CN=server.local/[email protected]
No client certificate CA names sent
SSL handshake has read 1141 bytes and written 317 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
    Protocol  : SSLv3
    Cipher    : AES256-SHA
    Session-ID: 32CEC84CCD0AF087BE51A677BAD15639983FC4FCEE45D8110F0989E14C7821EE
    Master-Key: 7377D1ECBEF3A21E4034B7FD457074AD3C71312C85E7283757A5D84B5580C7F69EF734476B95045EC435360C03053ADF
    Key-Arg   : None
   Compression: 1 (zlib compression)
    Start Time: 1345330539
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
HTTP/1.1 400 Bad Request
Date: Sat, 18 Aug 2012 22:55:39 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 303
Connection: close
Content-Type: text/html; charset=iso-8859-1

<title>400 Bad Request</title>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
<address>Apache/2.2.14 (Ubuntu) Server at server.local Port 443</address>
permanent link

answered 19 Aug '12, 04:21

sha8e's gravatar image

accept rate: 0%

edited 19 Aug '12, 04:24

SYN-bit's gravatar image

SYN-bit ♦♦

Here is the test:

I will send you keys, and other stuff @email. I hope that's fine with you.

Thank you very much for your time in helping me out. I really appreciate that.

(19 Aug '12, 04:38) sha8e

I noticed its saying:

Continuation or non-HTTP traffic[Malformed Packet]

I think this is the HTTP POST. But strange, why is Wireshark seeing it like that!

(19 Aug '12, 05:56) sha8e

For some reason the first byte of the request gets sent in one SSL record and the rest of the request is sent in another SSL record. Somehow Wireshark has problems re-assembling those parts. This is probably a bug. I'll try to find some time to have a look at it, but don't wait up for me ;-)

(19 Aug '12, 06:10) SYN-bit ♦♦

Do you want me to file a bug report or something? This is very important to me, I will wait for you, because no one maybe knows about it, except you :D

Thank you SYN-bit

(19 Aug '12, 13:11) sha8e

No need to file a bug-report. I found the issue and fixed it in SVN 44593.

In a couple of hours you can download an automated built from (please pick a file with a version number of 44953 or higher). Or you can wait for the next official release in which the fix will be included.

(19 Aug '12, 16:55) SYN-bit ♦♦

Thank you SYN-bit, I think I'll wait for the official release better than screwing up my current system with compilation issues :)

I hope the builders for Linux won't take long in doing the update.

Your help was very grateful, you not only helped me, but I learned lots from you and your comments to other posts, plus your precious presentations.

Wish you good luck always.

(20 Aug '12, 03:35) sha8e

You are very welcome. I extracted my comments to a new answer, as it might help others :-)

If you feel your question is answered, please accept the asnwer that did indeed answer your question best by clicking on the check-mark next to it. This will help others and remove your question from the "unanswered questions" list.

(20 Aug '12, 09:42) SYN-bit ♦♦

You're the boss, anything you say. I marked it as answered even though honestly most of your replies were part of the whole answer. So how can I mark them all :$

(20 Aug '12, 09:56) sha8e

Hola, I just downloaded the new version of Wireshark 1.8.1, and it still doesn't capture the first POST packet! SYN-bit did you test it?

(21 Aug '12, 16:47) sha8e

That's because 1.8.1 was already released before I committed the change. You will have to wait until 1.8.2 comes out. Or use one of the automated builds from

(21 Aug '12, 22:23) SYN-bit ♦♦
showing 5 of 10 show 5 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 18 Aug '12, 15:27

question was seen: 13,262 times

last updated: 21 Aug '12, 22:23

p​o​w​e​r​e​d by O​S​Q​A