This is our old Q&A Site. Please post any new questions and answers at

I'm trying to decrypt browser's HTTPS traffic which passes through stunnel. Essentially, I've got HTTPS wrapped into stunnel's SSL. I realized that wireshark is unable to decrypt SSL within SSL.

I provided wireshark with stunnel's key as well as sslkeylogfile for HTTPS traffic. I can see that wireshark successfully decrypts the outer layer - stunnel's SSL, but it fails to inspect the inner HTTPS.

I know that sslkeylogfile contains the necessary pre-master to decrypt inner HTTPS, because when I tell wireshark to listen to traffic after it passes stunnel, browser's HTTPS gets decrypted successfully.

Is there a way to tell wireshark to perform two-pass decryption? If it was possible to save the decrypted wireshark capture, I would save it after the stunnel SSL got decrypted, then I would feed it back to wireshark and it would decrypt the browser's HTTPS. Unfortunately saving the decrypted capture is not supported yet.

P.S. neither browser nor stunnel use DH-ciphers or TLS session tickets and there are no out-of-order frames.

here is a sample capture
stunnel key:
sslkeylogfile to decrypt HTTPS:

Note: I use "Decode as SSL" for source and destination port 33310
Sometimes when both "RSA key list" and "Master Secret log filename" given, wireshark fails to decrypt stunnel SSL. So I removed MS log filename and decryption worked.
I successfully Exported PDUs with this capture and opened it in a new wireshark instance but was confronted with a failure in decrypting the HTTPS.

asked 07 Aug '13, 02:37

dansmith's gravatar image

accept rate: 50%

edited 08 Aug '13, 10:15

Please see the answer of @JeffMorriss.

to the following question.

With the "export PDUs" function, you should be able to save the decrypted stunnel packets and then load that file into Wireshark again, to decrypt the HTTPS packets.

Link to current development releases


permanent link

answered 08 Aug '13, 02:41

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 08 Aug '13, 08:14

I compiled the latest built. I open my pcap, select File->Export PDUs to File Filter: ip & OSI Layer 7 followed by OK Then it opens a new wireshark window called *(Untitled) not showing a single packet. Have you been successful in using the Export PDUs feature?

(08 Aug '13, 08:12) dansmith

Have you been successful in using the Export PDUs feature?

I did not try yet. I just wanted to give you a hint about a possible solution. I will try it myself now ;-)

Is it possible for you to post the capture files and the keys (only for a test environment)?

(08 Aug '13, 08:13) Kurt Knochner ♦

I provided the sample capture in my OP

(08 Aug '13, 10:16) dansmith

O.K. the "export PDU" feature finally does something, although I'm not quite sure what to do with the exported data in your case.

Exported PDU file:

After decryption of the stunnel connection (choose 'data' as Protocol in the RSA Key list), I was able to export the PDUs with this filter during export: ' eq 0' and 'OSI Layer 7'.

However the exported PDUs are in a very special form and Wireshark does not detect the decrypted data (exported PDUs) as HTTP, although you can see the CONNECT command in the packet bytes (see frame #1 in the file above).

So, currently I don't see a way to decrypt the SSL/TLS connection within that exported PDU capture file, until Wireshark dissects that as HTTP.

But hey, this feature is still under development, so maybe it will work in a later snapshot ;-)


(08 Aug '13, 15:07) Kurt Knochner ♦

O.K. you could do this.

  • remove the first 60 bytes of every frame with editcap. This will leave only the HTTP protocol in the new capture file.

editcap -C 60 exported_pdu.pcapng exported_pdu_trunc.pcap

  • Then use tshark to print the payload bytes in HEX

tshark -nr exported_pdu_trunc.pcap -T fields -e data

Format that output into something that text2pcap understands and add a new IP/TCP header via text2pcap (-T). Then open the newly created capture file and try to decrypt the data.

Just an idea .... ;-)

(08 Aug '13, 15:28) Kurt Knochner ♦

The payload can be exported as HTTP (see ). You just need to choose 'http' instead of 'data' in the RSA keylist dialog box.

(09 Aug '13, 02:46) Pascal Quantin
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 07 Aug '13, 02:37

question was seen: 6,982 times

last updated: 09 Aug '13, 02:46

p​o​w​e​r​e​d by O​S​Q​A