After capturing some SSL traffic (using tcpdump on an embedded linux system), I'm attempting to decrypt the traffic from the dumpfile using Wireshark (I've tried both v1.8.1 on linux and v1.8.2 on Win32). The Session-ID was taken from the packet capture and the master secret was obtained from the memory of an application executing on the embedded system. My file key file looks like With the obligatory newline afterwards. I've selected "data" as the protocol (as I'm not sure what protocol lies inside the session--though most likely XML), but when applied, I get an error of "Can't load private key from /root/dump.test.ms" on the console and "ssl_load_key: can't import pem data" in the ssl.debug file. It almost seems as if wireshark is treating the keyfile as an RSA/X.509 key and not the session & master secret? Furthermore, if the master secret were incorrect, I would still expect wireshark to "decrypt" the data and present that in the view as decrypted. Any pointers or thoughts would be appreciated. asked 08 Sep '12, 14:33  puffdaddy |
One Answer:
To answer my own question, this was simple user error, as I didn't understand that the SSL Protocol dialog provided an input for RSA sever keys, and a separate method to input Session-IDs and Master-Secrets (i.e. Edit->Preferences->Protocols->SSL-> "(Pre)-Master-Secret log filename:", and the file that you specify there should contain separate lines with the After adding my file in that fashion, I needed to restart wireshark, and then (after the restart--which seemed to perhaps allow wireshark to load and posses the secrets contained in that file) I was able to then select "Follow SSL stream" and view the decrypted stream. Cheers! answered 11 Sep '12, 11:11 puffdaddy |
puffdaddy ... I need to Get Session-ID and Master-Secret for a win32 c++ application For Decrypting SSL/TLS trafic. How you get the Session-ID and Master-Secret. Witch Software did you used. Could you please point me to a right direction ?