This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

HTTP/2 traffic decryption without SSLKEYLOGFILE

1

So I found a lot of information about decrypting HTTP/2 traffic in Chrome and Firefox via the sslkeylogfile, which works fine.

But what if I want to decrypt traffic in other browsers like Safari, Edge, Opera or browsers on mobile phones? Is there a way to do it? Do they have an sslkeylogfile or anything similar?

For testing purposes I set up my own (apache) webserver, that means I have the server's certificate and the private key available.

When I try to decrypt traffic with wireshark using the private key it won't work. I found out it has to do with the diffie hellman key exchange.

From my understanding there is no way to use encrypted HTTP/2 without diffie hellman key exchange (please correct me if I'm wrong). At least when I disabled the diffie hellman ciphers in the apache ssl.conf, the server would only communicate via HTTP/1.1 but not HTTP/2

I'm not really experienced with ssl encryption, diffie hellman and it's vulnerabilities. Might a man in the middle attack be an option?

Since it is a webserver that is only used for testing with no connection to the internet, security concerns are not really an issue.

I just want to use wireshark to analyse HTTP/2 traffic of as many different browsers as possible.

So any help is highly appreciated.

asked 04 Aug '16, 04:32

Megastaine's gravatar image

Megastaine
21113
accept rate: 0%

One Answer:

1

Recent versions of Opera are based on Chromium and are supposed to work with the SSL keylog file too. Edge and Safari probably do not work with it. Not to mention smartphones where it is even more difficult to get the keys from.

In theory a MITM proxy should be possible, but these are often specific for HTTP as application data protocol. An example of a generic, protocol-agnostic "proxy" is socat which you can start with:

socat OPENSSL-LISTEN:443,fork,certificate=some.crt,key=some.key OPENSSL:your.host:port

Combined with a utility to extract keys from OpenSSL applications, this allows you to create a SSL keylog file. There are probably other tools that can do the same, but this shows the basic idea, proxy and dump keys.

Since you control the webserver you have more flexibility since security is not a concern:

  • Change the SSLCipherSuite directive in Apache to use non-DH ciphers. For example, you can specify AES128-SHA. This way, you can actually use the RSA private key file in Wireshark.
  • Use a debugger to extract keys from OpenSSL in Apache into a SSL keylog file. (See the utility mentioned above.)

answered 05 Aug '16, 06:27

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%