Ask Your Question
0

decrypt saved capture with private key

asked 2019-07-16 15:44:58 +0000

notquitestr8t gravatar image

updated 2019-07-16 15:51:14 +0000

grahamb gravatar image

I am using wireshark 64 bit. version 3.0.2. I am trying to decrypt an https capture file that is using port 8443 for https. I have the private key. I can't seem to get a straight answer on how this works despite multiple posts. First, there is no SSL so I have selected TLS in the Protocols section of Preferences. Just below that is RSA Keys. I assume that is where I put the location of the key file. (with .key extension) I also put in the following information in the TLS Decrypt under protocols:

IP address: source IP listed in the capture
Port: 8443
Protocol: http
Key File: same private key located on desktop that I listed under RSA Keys.

Clicked on OK, OK. but nothing happens. What did I miss?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-07-16 16:03:46 +0000

grahamb gravatar image

Firstly, the SSL dissector has been renamed to TLS, so everything else, e.g. preferences, has been adjusted accordingly.

Secondly, the configuration is slightly simpler now if using a private RSA server key, only the RSA Keys entry is listed. The key file should be in PEM format, i.e. it should be text and has "-----BEGIN RSA PRIVATE KEY-----", or a PKCS#12 store, i.e. a pfx file.

Thirdly, a private RSA key can only be used to decrypt the traffic if the following are true:

  • The cipher suite selected by the server is not using (EC)DHE.
  • The protocol version is SSLv3, (D)TLS 1.0-1.2. It does not work with TLS 1.3.
  • The private key matches the server certificate. It does not work with the client certificate, nor the Certificate Authority (CA) certificate.
  • The session has not been resumed. The handshake must include the ClientKeyExchange handshake message.

See the wiki TLS page for more info.

edit flag offensive delete link more

Comments

Thank you very much for the clarification. Since this capture is using TLS1.2 and all our cipher suites are TLS_DHE_RSA or TLS_ECDHE_RSA than I guess I am SOL. At least I know why. Thanks again for the link and the information.

notquitestr8t gravatar imagenotquitestr8t ( 2019-07-16 16:26:14 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-07-16 15:44:58 +0000

Seen: 20,882 times

Last updated: Jul 16 '19