Ask Your Question

TLS decryption with Tshark and RSA keys

asked 2019-10-17 15:38:05 +0000

acid2000 gravatar image

I currently use tshark to decrypt an RSA stream using the ssl.keys_list options. In the latest version of tshark this has been changed to tls.keys_list and marked as obsolete - this means I can't use this option.

The solution is to use a ssl debug file in NSS format. The problem is that this format doesn't seem to support RSA key files.

I can still load my RSA key into the latest version of Wireshark and get the same effect. How can I continue to use an RSA keyfile to decrypt my traffic?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2019-10-18 22:49:33 +0000

Lekensteyn gravatar image

The TLS key log file (not to be confused with debug log file) can indeed not be used with RSA key files, it can only accept session secrets (master secret, traffic secrets, etc.).

There are two other deprecations:

  • The ssl filter and protocol names have been replaced by tls. Thus ssl.keys_list becomes tls.keys_list. The fact that any ssl.<anything> preference results in suggesting tls.<anything> is probably a bug, the code should check for its existence before recommending it.
  • The ssl.keys_list (or tls.keys_list) preference has been deprecated in favor of a the "ssl_keys" UAT. However, this option has again be deprecated because it contained redundant fields that had nothing to do with decryption secrets.
  • The new "rsa_keys" UAT finally replaces the above preference and UAT. It has only two fields: the key file, and a password (if needed). For hardware tokens, the first field would be the PKCS#11 URI and the PIN respectively.

The dialog for this "RSA Keys" UAT is described here:

The corresponding tshark invocation for a key file without password would be:

tshark -r your.pcap '-ouat:rsa_keys:"/path/to/key.file",""'

Mind the single quotes, these are necessary for the shell on to avoid interpreting the double quotes.

edit flag offensive delete link more

answered 2019-10-18 09:40:15 +0000

acid2000 gravatar image

The answer is that the tshark message about the option being obsolete is incorrect. What tshark is trying to say is that you haven't compiled it with GNUTLS.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2019-10-17 15:38:05 +0000

Seen: 76 times

Last updated: Oct 18