This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I know its possibly to decrypt an SSL session, but is it possible to decrypt an SSL session post capture?

I have a capture that was done with another product that they have no idea if or how to configure it to decrypt the SSL session. And putting wireshark on the network so far isn't happening, but I do have the SSL keys so the obvious question that I came up with, can I do it on that saved capture file?

THanks

asked 30 Apr '13, 11:43

modeerf's gravatar image

modeerf
1111
accept rate: 0%


Yes that is possible. In fact, I mostly capture on other devices and do the decryption in Wireshark on my laptop later on.

Keep in mind that there are 3 basic conditions that must be met to succesfully decrypt SSL traffic:

  • You have to have the server private key that corresponds to the certificate in the captures SSL session. You seem to have those.
  • For each SSL session in the capture file that you would like to decrypt, you need to have the full SSL handshake (including the ClientKeyExchange handshake message). Especially if you have no control over the client nor server during capturing, they often reuse sessions that had their handshake before you started capturing.
  • The chosen cipher must not use a DiffieHellman key exchange (DH in the cipher name), as wireshark is unable to extract the MasterSecret (with the session key used for the encryption) from the capture when DH is used.
permanent link

answered 30 Apr '13, 13:08

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×319

question asked: 30 Apr '13, 11:43

question was seen: 2,849 times

last updated: 30 Apr '13, 13:08

p​o​w​e​r​e​d by O​S​Q​A