This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL : Decrypt servers' Application Data

0

In order to decode the SSL application data, I set the 'RSA Keys List' with right server key file along with its port and IP addresses.

What I see is that the only the client's application data(HTTP) got decoded successfully but not the servers's response to it.

What is that I could be missing?

-Prabhu

asked 24 Mar '14, 04:37

Sp87's gravatar image

Sp87
11114
accept rate: 0%

edited 24 Mar '14, 04:39

One Answer:

2

What cipher suite is being used? Check the Server Hello packet.

You cannot decrypt ephemeral cipher suites.

If the above does not apply you can try to decrypt the session using the Pre-Master Secret.

  1. Remove the RSA key you just added in Wireshark.
  2. In Windows create a System Variable named SSLKEYLOGFILE with the value C:\premaster.txt
  3. In Wireshark go to Edit > Preferences > Protocols > SSL and type the path to the file above under (Pre)Master-Secret log file name.
  4. Start your packet capture.
  5. Open Chrome or Firefox and make sure the cache is cleared, then go to the desired webpage.
  6. Stop the packet capture and follow the SSL Stream to check if the session was decrypted.

answered 25 Mar '14, 01:45

Roland's gravatar image

Roland
7642415
accept rate: 13%

@Roland, thanks for your reply. I am not sure the steps that you mention can be carried out. The test is being done at a customer location trials. The cipher suites seem to be OK for the application data from the client is decrypted successfully. It is the server response to it that is not decrypted..

(25 Mar '14, 12:29) Sp87