mqtt ssl decrypt

asked 2018-12-21 10:32:18 +0000

c4esp
1 ●1 ●1 ●2

updated 2018-12-21 10:33:13 +0000

Hello guys,

I am trying to decrypt all the MQTT traffic between my AWS broker and my device with Wireshark.

I was following this guide:

https://wiki.wireshark.org/SSL

I configured RSA keys list as:

"192.168.123.123","8883","mqtt","C:/Users/SPA20000001.key","" "18.202.37.237","59424","mqtt","C:/Users/SPA20000001.key","" "192.168.123.123","59689","mqtt","C:/Users/SPA20000001.key","" "18.202.37.237","59424","mqtt","C:/Users/SPA20000001.key",""

192.168.123.123 is the IP of my device and 18.202.37.237 is the IP of AWS broker. Protocol is mqtt and add private key file of my device in PEM formated, that is:

-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAxfdaN7BkkLjqQqBqbLQGVcw0FciYNWTV/ZRIh1Q/syM8RHn8

...

AqS6228/pd7Mq+yKICYZ2+T5IwcCtRmT4GpTAjbglk9xuQ0XVOf0IjsmHQ57VI+Q CGd0G/TCxcvfDRV/iWvmOUn6R/sNxYG2KQ1PJioYYxpO7lvg8Ew4rg==

-----END RSA PRIVATE KEY-----

Then I save a pcapng and I can see the handshaking with ciphersuite and Client Hello and HelloDone and all SSL traffic encrypted, I save settings above and traffic still encrypted.

Do you know if I am doing something wrong? Wireshark allows to decrypt mqtt traffic?

Thanks in advance.

edit retag flag offensive close merge delete

Comments

Is the TLS encryption using an RSA scheme? What is the cipher suite selected by the server?

grahamb ( 2018-12-21 10:56:22 +0000 )edit

Hello grahamb,

In that case device gives to the server all these cipher suites during Client Hello

Cipher Suites:

Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)
Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15)

And server decides to take this cipher suite during Server Hello

Cipher Suite:

TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

So, trying to answer your question...is yes...

Thanks in advance.

c4esp ( 2018-12-21 16:19:22 +0000 )edit

We'll need your Wireshark TLS debug log, set in the TLS dissector preferences.

grahamb ( 2018-12-21 16:47:01 +0000 )edit

Hello,

Here it is. https://ufile.io/uge1p

In any case. I am using private key from client side and using method 1 on this link.

http://www.joji.me/en-us/blog/walkthrough-decrypt-ssl-tls-traffic-https-and-http2-in-wireshark

I need private key from server side to decrypt traffic?

Thanks in advace.

c4esp ( 2019-01-04 11:52:52 +0000 )edit

I don't know which MQTT broker you're using, but in case it's mosquitto, you might want to follow Mosquitto Issue 632: Feature Request: Log TLS Session Keys.

cmaynard ( 2019-01-18 17:31:09 +0000 )edit

add a comment

mqtt ssl decrypt

Comments

1 Answer

Your Answer

Question Tools

Stats

Related questions

mqtt ssl decrypt edit

Comments

1 Answer

Your Answer

Question Tools

Stats

Related questions

mqtt ssl decrypt