I'm trying to decrypt browser's HTTPS traffic which passes through stunnel. Essentially, I've got HTTPS wrapped into stunnel's SSL. I realized that wireshark is unable to decrypt SSL within SSL. I provided wireshark with stunnel's key as well as sslkeylogfile for HTTPS traffic. I can see that wireshark successfully decrypts the outer layer - stunnel's SSL, but it fails to inspect the inner HTTPS. I know that sslkeylogfile contains the necessary pre-master to decrypt inner HTTPS, because when I tell wireshark to listen to traffic after it passes stunnel, browser's HTTPS gets decrypted successfully. Is there a way to tell wireshark to perform two-pass decryption? If it was possible to save the decrypted wireshark capture, I would save it after the stunnel SSL got decrypted, then I would feed it back to wireshark and it would decrypt the browser's HTTPS. Unfortunately saving the decrypted capture is not supported yet. P.S. neither browser nor stunnel use DH-ciphers or TLS session tickets and there are no out-of-order frames. EDIT1: Note: I use "Decode as SSL" for source and destination port 33310 asked 07 Aug '13, 02:37  dansmith edited 08 Aug '13, 10:15 |
One Answer:
Please see the answer of @JeffMorriss. to the following question.
With the "export PDUs" function, you should be able to save the decrypted stunnel packets and then load that file into Wireshark again, to decrypt the HTTPS packets. Link to current development releases Regards answered 08 Aug '13, 02:41  Kurt Knochner ♦ edited 08 Aug '13, 08:14 showing 5 of 6 show 1 more comments |
I compiled the latest built. I open my pcap, select File->Export PDUs to File Filter: ip & OSI Layer 7 followed by OK Then it opens a new wireshark window called *(Untitled) not showing a single packet. Have you been successful in using the Export PDUs feature?
I did not try yet. I just wanted to give you a hint about a possible solution. I will try it myself now ;-)
Is it possible for you to post the capture files and the keys (only for a test environment)?
I provided the sample capture in my OP
O.K. the "export PDU" feature finally does something, although I'm not quite sure what to do with the exported data in your case.
Exported PDU file: https://www.cloudshark.org/captures/4342db79406c
After decryption of the stunnel connection (choose 'data' as Protocol in the RSA Key list), I was able to export the PDUs with this filter during export: 'tcp.stream eq 0' and 'OSI Layer 7'.
However the exported PDUs are in a very special form and Wireshark does not detect the decrypted data (exported PDUs) as HTTP, although you can see the CONNECT command in the packet bytes (see frame #1 in the file above).
So, currently I don't see a way to decrypt the SSL/TLS connection within that exported PDU capture file, until Wireshark dissects that as HTTP.
But hey, this feature is still under development, so maybe it will work in a later snapshot ;-)
Regards
Kurt
O.K. you could do this.
Format that output into something that text2pcap understands and add a new IP/TCP header via text2pcap (-T). Then open the newly created capture file and try to decrypt the data.
Just an idea .... ;-)
The payload can be exported as HTTP (see http://cloudshark.org/captures/ed9681934778 ). You just need to choose 'http' instead of 'data' in the RSA keylist dialog box.