This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decrypting browser HTTPS wrapped into stunnel SSL

0

I'm trying to decrypt browser's HTTPS traffic which passes through stunnel. Essentially, I've got HTTPS wrapped into stunnel's SSL. I realized that wireshark is unable to decrypt SSL within SSL.

I provided wireshark with stunnel's key as well as sslkeylogfile for HTTPS traffic. I can see that wireshark successfully decrypts the outer layer - stunnel's SSL, but it fails to inspect the inner HTTPS.

I know that sslkeylogfile contains the necessary pre-master to decrypt inner HTTPS, because when I tell wireshark to listen to traffic after it passes stunnel, browser's HTTPS gets decrypted successfully.

Is there a way to tell wireshark to perform two-pass decryption? If it was possible to save the decrypted wireshark capture, I would save it after the stunnel SSL got decrypted, then I would feed it back to wireshark and it would decrypt the browser's HTTPS. Unfortunately saving the decrypted capture is not supported yet.

P.S. neither browser nor stunnel use DH-ciphers or TLS session tickets and there are no out-of-order frames.

EDIT1:
here is a sample capture
http://cloudshark.org/captures/67dea7c0e684
stunnel key:
http://pastebin.com/ivRTTNJp
sslkeylogfile to decrypt HTTPS:
http://pastebin.com/fah4Zebx

Note: I use "Decode as SSL" for source and destination port 33310
Sometimes when both "RSA key list" and "Master Secret log filename" given, wireshark fails to decrypt stunnel SSL. So I removed MS log filename and decryption worked.
I successfully Exported PDUs with this capture and opened it in a new wireshark instance but was confronted with a failure in decrypting the HTTPS.

asked 07 Aug '13, 02:37

dansmith's gravatar image

dansmith
16448
accept rate: 50%

edited 08 Aug '13, 10:15


One Answer:

1

Please see the answer of @JeffMorriss.

to the following question.

http://ask.wireshark.org/questions/23614/save-a-capture-after-decryption

With the "export PDUs" function, you should be able to save the decrypted stunnel packets and then load that file into Wireshark again, to decrypt the HTTPS packets.

Link to current development releases

http://www.wireshark.org/download/automated/

Regards
Kurt

answered 08 Aug '13, 02:41

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 08 Aug '13, 08:14

I compiled the latest built. I open my pcap, select File->Export PDUs to File Filter: ip & OSI Layer 7 followed by OK Then it opens a new wireshark window called *(Untitled) not showing a single packet. Have you been successful in using the Export PDUs feature?

(08 Aug '13, 08:12) dansmith

Have you been successful in using the Export PDUs feature?

I did not try yet. I just wanted to give you a hint about a possible solution. I will try it myself now ;-)

Is it possible for you to post the capture files and the keys (only for a test environment)?

(08 Aug '13, 08:13) Kurt Knochner ♦

I provided the sample capture in my OP

(08 Aug '13, 10:16) dansmith

O.K. the "export PDU" feature finally does something, although I'm not quite sure what to do with the exported data in your case.

Exported PDU file: https://www.cloudshark.org/captures/4342db79406c

After decryption of the stunnel connection (choose 'data' as Protocol in the RSA Key list), I was able to export the PDUs with this filter during export: 'tcp.stream eq 0' and 'OSI Layer 7'.

However the exported PDUs are in a very special form and Wireshark does not detect the decrypted data (exported PDUs) as HTTP, although you can see the CONNECT command in the packet bytes (see frame #1 in the file above).

So, currently I don't see a way to decrypt the SSL/TLS connection within that exported PDU capture file, until Wireshark dissects that as HTTP.

But hey, this feature is still under development, so maybe it will work in a later snapshot ;-)

Regards
Kurt

(08 Aug '13, 15:07) Kurt Knochner ♦

O.K. you could do this.

  • remove the first 60 bytes of every frame with editcap. This will leave only the HTTP protocol in the new capture file.

editcap -C 60 exported_pdu.pcapng exported_pdu_trunc.pcap

  • Then use tshark to print the payload bytes in HEX

tshark -nr exported_pdu_trunc.pcap -T fields -e data

Format that output into something that text2pcap understands and add a new IP/TCP header via text2pcap (-T). Then open the newly created capture file and try to decrypt the data.

Just an idea .... ;-)

(08 Aug '13, 15:28) Kurt Knochner ♦

The payload can be exported as HTTP (see http://cloudshark.org/captures/ed9681934778 ). You just need to choose 'http' instead of 'data' in the RSA keylist dialog box.

(09 Aug '13, 02:46) Pascal Quantin
showing 5 of 6 show 1 more comments