This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi there,

to analyze some application, which are using https to communicate i had set up a little proxy which redirects the traffic to sslsniff and forwards it afterwards.

Currently i'm running sslsniff in authority mode with a self signed CA. In this mode sslsniff automatically generates mathing certificates which are then signed with the own CA.

The tool works fine, unfortunately parsing the output is a little bit nasty, since sslsniff drops the traffic simply as a txt file instead of dumping all traffic in a valid pcap file.

Now i'm searching for a way to get that ssl cracked traffic dumped into a pcap file in order to decrypt it properly in wireshark with the SSL dissector. Therefore i need a valid private Key (i assume the private key from the generated certificate and not the one provided by the fake CA). In authority mode the generated ca is dumped at no place, so there is also no private key available to set it in wireshark ssl settings.

What can i do to get all this traffic decrypted in wireshark in this scenario?

Best Regards Bastian

asked 17 Feb '14, 08:24

CipherSpec's gravatar image

CipherSpec
16224
accept rate: 0%


In authority mode the generated ca is dumped at no place, so there is also no private key available to set it in wireshark ssl settings.

That's right. So, you need a way to get the keying material. There are some options I can think of:

Regards
Kurt

permanent link

answered 19 Feb '14, 06:09

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

hook the crypto API calls to dump the keys. There is a workaround on Linux for sslsniff. Looks kind of 'creepy', but it seems to work: http://diablohorn.wordpress.com/2013/07/14/sslsniff-howto-dump-the-temporary-key/

But in this case the creepy way has been the best way! Works like a charm and is very helpful.

let your client (Browser) dump the session keys (see: SSLKEYLOGFILE and a similar question. Then use the dumped keys to decrypt the session with Wireshark.

The problem here is that new versions of firefox do not dump the keys anymore. As well you cannot consider traffic which isn't transmitted via browser (e.g. TLS IMAP Traffic)

rewrite the code of sslsniff to dump the keying material

It seems that this step is absolutely necessary. Although the tool works fine the error handling as a little bit poor.

use a different SSL interception tool, like Fiddler or other tools.

Likewise possible, but fiddler is not very nice to handle at linux operating systems. So if can recommend the creepy way.

Thank you very much!

(12 Mar '14, 02:09) CipherSpec
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×319
×1

question asked: 17 Feb '14, 08:24

question was seen: 7,453 times

last updated: 12 Mar '14, 02:47

p​o​w​e​r​e​d by O​S​Q​A