Ask Your Question

Unable to decrypt HTTPS TLSv1.2 traffic with wireshark (sha1WithRSAEncryption)

asked 2018-10-29 14:15:16 +0000

duflar gravatar image

updated 2018-10-29 15:38:23 +0000

am trying to debug a server-client app and can't get wireshark to decrypt the traffic.

  • I tried Wireshark 2.4.5 and 2.6.2
  • I started the capture before launching my client and can see "Not using Sesion resumption" in the wireshark log
  • Wireshark recognizes the cipher as 0x009D TLS_RSA_WITH_AES_256_GCM_SHA384
  • I've verified that they public key passed to mbedtls is a match to the corresponding private key given to wireshark's SSL tool
  • I get 0/(nil) in ssl_find_private_key_by_pubkey: lookup_result in wireshark
  • All the "using server decoder messages" are followed by "no decoder available"


edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-11-01 09:02:37 +0000

Lekensteyn gravatar image

updated 2018-11-01 09:39:08 +0000

Pascal Quantin gravatar image

You indeed seem to satisfy the required conditions to use RSA private key files:

  • TLS_RSA_WITH_AES_256_GCM_SHA384 uses a RSA key exchange (instead of a DH key exchange).
  • No session resumption is in use.
  • You have supposedly captured the full handshake (starting with the Client Hello).

Since lookup(KeyID) is followed by lookup result: (nil), it suggests that the private key was not correctly matched. Can you see lines such as:

ssl_init private key file /path/to/your/private.key successfully loaded.

Before that line, a KeyID is printed. Does that match with the lookup(KeyID) entry?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-10-29 14:15:16 +0000

Seen: 1,094 times

Last updated: Nov 01 '18