This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Same server certificate used by two IIS, one of them can not be decrypted.

0

Dear Team,

I have 2 IIS which IIS8 running on Windows 2012 and IIS7.5 running on Windows 2008R2, today I need to do some troubleshooting for the encrypted http. The strange thing is I can decrypt the HTTP data in IIS7.5 but CAN'T decrypt in IIS8, could you please assist on this?

I just put both captures/debug files and decryption key into Skydrive, the link is http://1drv.ms/1icxA3G. For IIS7.5 the related files are: IIS7.5.pcapng and IIS7.5_with_Windows2008R2_debug.txt.zip. For IIS8 the related files are: IIS8_with_Windows2012.pcapng and IIS8_with_Windows2012_debug.txt. The decrypting key filename is: comp01.key

Thanks, Sam

asked 09 Sep '15, 02:19

Metasploit's gravatar image

Metasploit
6113
accept rate: 0%

edited 09 Sep '15, 02:36


One Answer:

1

I can decrypt the HTTP data in IIS7.5 but CAN'T decrypt in IIS8, could you please assist on this?

Without having seen the SSL debug logs or the pcap file, I simply guess that IIS8 uses different ciphers, which are based on Diffie Hellman (DHE, DHCE). If so, bad luck! You can't decrypt TLS sessions with a server RSA key that use DHE/DHCE ciphers, as that's exactly why they have been developed (well not exatly because of that, but ... ;-))

Regards
Kurt

answered 11 Sep '15, 14:12

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hi Kurt,

Would you mind to check my captures and debugs? it's here http://1drv.ms/1icxA3G .

Thanks, Sam

(11 Sep '15, 20:26) Metasploit

Hi Kurt, I checked the captures again, seems IIS8 using EC Diffie-Hellman. Is there a plan to add this capability? I mean decryption of ECDHE cipher. Thanks, Sam

(12 Sep '15, 09:11) Metasploit
1

Is there a plan to add this capability? I mean decryption of ECDHE cipher.

There is no plan, because it's technically impossible.

You can only decrypt the traffic, if the client (browser) reveals the negotiated session key (master secret).

see here:

https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/
https://www.google.com/#q=site:ask.wireshark.org+SSLKEYLOGFILE

Regards
Kurt

(12 Sep '15, 12:53) Kurt Knochner ♦

Hi Kurt,

Million thanks, I got it and works like a charm!

Best Regards, Sam

(14 Sep '15, 02:51) Metasploit

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(15 Sep '15, 14:27) Kurt Knochner ♦