Hi there, to analyze some application, which are using https to communicate i had set up a little proxy which redirects the traffic to sslsniff and forwards it afterwards. Currently i'm running sslsniff in authority mode with a self signed CA. In this mode sslsniff automatically generates mathing certificates which are then signed with the own CA. The tool works fine, unfortunately parsing the output is a little bit nasty, since sslsniff drops the traffic simply as a txt file instead of dumping all traffic in a valid pcap file. Now i'm searching for a way to get that ssl cracked traffic dumped into a pcap file in order to decrypt it properly in wireshark with the SSL dissector. Therefore i need a valid private Key (i assume the private key from the generated certificate and not the one provided by the fake CA). In authority mode the generated ca is dumped at no place, so there is also no private key available to set it in wireshark ssl settings. What can i do to get all this traffic decrypted in wireshark in this scenario? Best Regards Bastian asked 17 Feb '14, 08:24  CipherSpec |
One Answer:
That's right. So, you need a way to get the keying material. There are some options I can think of:
Regards answered 19 Feb '14, 06:09  Kurt Knochner ♦ |
But in this case the creepy way has been the best way! Works like a charm and is very helpful.
The problem here is that new versions of firefox do not dump the keys anymore. As well you cannot consider traffic which isn't transmitted via browser (e.g. TLS IMAP Traffic)
It seems that this step is absolutely necessary. Although the tool works fine the error handling as a little bit poor.
Likewise possible, but fiddler is not very nice to handle at linux operating systems. So if can recommend the creepy way.
Thank you very much!