Ask Your Question
0

Cannot decrypt HTTP over TLS

asked 2021-06-01 16:13:47 +0000

Const gravatar image

updated 2021-06-01 17:45:40 +0000

I tried to configure Wireshark according to https://wiki.wireshark.org/TLS to decrypt HTTPS but it doesn't work.

I extracted private key from the certificate as a PEM file and added it via Edit -> Preferences -> RSA Keys. I'm using cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256. But when I open pcap file the encrypted data remains encrypted.

The traces are collected on the client side. I can see Client Hello and Server Hello, I see the selected cipher suite but after that there is only Application Data instead of decoded HTTP.

EDIT: On the provided link I noticed this statement:

"The private key matches the server certificate. It does not work with the client certificate, nor the Certificate Authority (CA) certificate."

What does it mean? The private key I'm using is extracted from the client certificate. Can it be an issue? I don't have access to the server private key.

Wireshark SSL debug log 

Wireshark version: 3.2.1 (v3.2.1-0-gbf38a67724d0)
GnuTLS version:    3.6.3
Libgcrypt version: 1.8.3


dissect_ssl enter frame #4 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 161
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 156, ssl state 0x00
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 152 bytes
Calculating hash with offset 5 156
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 90
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 85, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 81 bytes
ssl_try_set_version found version 0x0303 -> state 0x91
Calculating hash with offset 5 85
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_set_cipher found CIPHER 0x003D TLS_RSA_WITH_AES_256_CBC_SHA256 -> state 0x97
ssl_load_keyfile dtls/tls.keylog_file is not configured!
tls13_load_secret TLS version 0x303 is not 1.3
tls13_load_secret TLS version 0x303 is not 1.3

dissect_ssl enter frame #8 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20 Change Cipher Spec
decrypt_ssl3_record: app_data len 1, ssl state 0x197
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
ssl_dissect_change_cipher_spec Session resumption using Session ID
ssl_load_keyfile dtls/tls.keylog_file is not configured!
ssl_finalize_decryption state = 0x197
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't restore master secret using an empty Session Ticket
ssl_restore_master_key can't find master secret by Client Random
  Cannot find master secret
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER

dissect_ssl enter frame #10 (first time)
packet_from_server: is from server - TRUE
  conversation = 00000214164C9A40, ssl_session = 00000214164CA590
  record: offset = 0, reported_length_remaining = 85
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 80, ssl state 0x197
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available ...
(more)
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-06-01 18:39:46 +0000

SYN-bit gravatar image

In a RSA key exchange (indicated by your ciphersuite), the pre-master-secret (which is used to create the data-encryption keys) is encrypted with the public key from the server certificate and sent to the server in the ClientKeyExchange handshake messgae. The server can decrypt this with it's private key (so, the server private key). For Wireshark to be able to do decryption, it needs the server private key to decrypt the ClientKeyExchange handshake message.

If you don't have access to the server private key, you could decrypt based on a logged SSL/TLS session key (basically, the pre-master secret is logged).

If you Google on Wireshark and SSLKEYLOGFILE you will get a few links on how to do that. Also, it seems the following link seems to explain quite a few things:

https://www.comparitech.com/net-admin...

edit flag offensive delete link more

Comments

Thank you!

Const gravatar imageConst ( 2021-06-03 00:32:36 +0000 )edit

This looks like a tip I should refer to for later.

netskink gravatar imagenetskink ( 2021-07-25 23:52:41 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-06-01 16:13:47 +0000

Seen: 348 times

Last updated: Jun 01