Ask Your Question

Revision history [back]

Decrypt TLS traffic not working

I'm testing capturing HTTPS traffic and decrypting in Wireshark. So far I've not been able to successfully decrypt. The setup...

  • Client is behind firewall (Watchguard)
  • Firewall has HTTPS Proxy configured to inspect traffic
  • Custom cert, signed by my private CA, is loaded on firewall to re-encrypt traffic after inspection
  • Proxy rule is configured to not allow PFS, disabling ECDHE
  • tcpdump file is generated on firewall device
  • In Wireshark Preferences > RSA Keys, private key file (.PFX) is loaded (also tried loading the old way under Protocols > TLS > RSA keys list)
  • Protocols > TLS configured to save TLS debug file

Using Chrome I make a single HTTPS request to postman-echo.com and capture via tcpdump on the firewall. In Chrome > Developer Tools > Security tab the encryption is reported as TLS 1.2, RSA, and AES_128_GCM. Open the .pcap in Wireshark but no TLS data is decrypted.

Packets as viewed in Wireshark link text

Debug log file link text

I believe everything is set up correctly but I can't decipher the debug file enough to determine what's wrong. Looking for some insight.

Thanks