Ask Your Question

How to decrypt TLS 1.3 handshake when server is under control

asked 2019-04-06 00:16:56 +0000

Ralph gravatar image


I want to decrypt TLS 1.3 handshake messages captured by wireshark. The server (apache) is under my control, but not the client. Since I have no control over the client I can't use pre shared keys.

Question: Which information do I need to log on the server, in order to be able to decrypt the captured handshake messages?

Thanks in advance.

Regards, Ralph

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2019-04-08 12:04:18 +0000

Ralph gravatar image

On a linux server one can use "openssl s_server" in order to obtain the keys. I used the command

# openssl s_server  -port 443 -cert <path to cert.pem> -key <path to privkey.pem> -CAfile <path to chain.pem>   -keylogfile <path to keylog file>

The values in < ...> have to be replaced by your settings. The schedule for decrypting TLS traffic is:

  1. start the openssl s_server by the command above
  2. start capturing with Wireshark
  3. establish TLS connection to the openssl server (e.g. send https message)
  4. stop capturing
  5. in wireshark: "edit -> preferences -> protocols -> TLS -> (pre)-master-secret log filename" select the keylog file from 1.

Then the messages are decrypted by Wireshark.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-04-06 00:16:56 +0000

Seen: 1,381 times

Last updated: Apr 08 '19