This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is it possible to decrypt an SSL Session post capture

0

I know its possibly to decrypt an SSL session, but is it possible to decrypt an SSL session post capture?

I have a capture that was done with another product that they have no idea if or how to configure it to decrypt the SSL session. And putting wireshark on the network so far isn't happening, but I do have the SSL keys so the obvious question that I came up with, can I do it on that saved capture file?

THanks

asked 30 Apr '13, 11:43

modeerf's gravatar image

modeerf
1111
accept rate: 0%


One Answer:

1

Yes that is possible. In fact, I mostly capture on other devices and do the decryption in Wireshark on my laptop later on.

Keep in mind that there are 3 basic conditions that must be met to succesfully decrypt SSL traffic:

  • You have to have the server private key that corresponds to the certificate in the captures SSL session. You seem to have those.
  • For each SSL session in the capture file that you would like to decrypt, you need to have the full SSL handshake (including the ClientKeyExchange handshake message). Especially if you have no control over the client nor server during capturing, they often reuse sessions that had their handshake before you started capturing.
  • The chosen cipher must not use a DiffieHellman key exchange (DH in the cipher name), as wireshark is unable to extract the MasterSecret (with the session key used for the encryption) from the capture when DH is used.

answered 30 Apr '13, 13:08

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%