This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have a valid sslv3 client authentication cert. that I use to access a company's web-site. The transaction works fine in a standard web browser. I would like to decrypt the ssl session (the server to client application data specifically). Maybe it is simply my ignorance, but shouldn't this be possible? I believe the client to server app data is encrypted with their public cert, so I am not sure if is this is accessible intra-wireshark, but I would minimally like to get the responses decrypted.

This transaction is completely captured in wireshark (no reused/resumed ssl sessions). It is not a DH exchange. (1) I have tried using the .pfx file format which is how the cert was delivered to me.
(2) I have tried converting to PEM and just including the unencrypted client private rsa key using openssl. (3) I have tried converting to PEM and including the unencrypted rsa priv. client key + the client and server certs. (4) I have tried converting to PEM and including the unencrypted rsa priv. client key + the client cert.

openssl version >1.0, and w.s. version 1.6.2 w/GnuTLS. Debug log for all includes a "ssl init private key file X successfully loaded". In case (1), The cert imports are interesting. "NameOnCert (Error), KeyID (number)". But in all cases: can't decrypt pre-master secret. no decoders available both client and server packets.

I think I am hitting something fundamental -- any insight would be greatly appreciated. Thanks Chris

asked 16 Jan '12, 10:06

_chris_'s gravatar image

_chris_
1111
accept rate: 0%


Chris, I hope you have gotten your answer by now, but for others who search this topic:

Yes, it is something very fundamental!

  1. The SSL or TLS encryption is set up based ONLY on the public and privage keys of the Server Certificate. (For both directions of information transfer.) The Client Certificate (which you indicate that you have) is used only for authentication and will be of no use whatsoever in decrypting captured HTTP session data from Wireshark. Now if you had the private key of the Server Certificate, it would be a very different matter.

  2. One way to capture the traffic for analysis without using a browser (and without using a Wireshark capture) is to use Fiddler 2 or Charles as a local man-in-the-middle HTTPS proxy. To do this you need to be able to change the proxy setup of your browser.

Inetdog

permanent link

answered 20 Mar '12, 18:41

inetdog's gravatar image

inetdog
16717
accept rate: 14%

edited 20 Mar '12, 18:43

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×62
×21
×11
×10
×6

question asked: 16 Jan '12, 10:06

question was seen: 4,620 times

last updated: 20 Mar '12, 18:43

p​o​w​e​r​e​d by O​S​Q​A