I have a device on a local network that’s accessing a WEB site on the server on the same LAN. I can get a capture from both systems, however the communication is encrypted with a certificate from godaddy.com It looks like I can decrypt the communication if I have access to the private key, but can I capture with a Windows version of Wireshark or I need to use Linux Wireshark with GnuTLS support? Thanks asked 16 Sep '13, 19:36  net_tech edited 17 Sep '13, 05:59 |
One Answer:
The windows version contains everything you need to decrypt SSL traffic if you have access to the private key of the server and the server and client do not negotiate a cipher that uses Diffie Hellman key exchange (DH or DHE in the cipher name). If that happens, you'll need a client that exposes the session key. Firefox is able to do that via a SSL key log (https://developer.mozilla.org/en-US/docs/NSS_Key_Log_Format ). Maybe your mentioned 'device' is able to do that same. See the various tutorials for SSL decryption.
Regards answered 17 Sep '13, 03:08  Kurt Knochner ♦ I was able to export a private key from my IIS server as a personal information exchange PKCS #12 (.pfx) file with a password and supply it to wireshark under Tools -> Preferences -> protocols -> SSL In this format 127.0.0.1,443,http,c:\path\to\snakeoil2.p12,password (17 Sep '13, 05:56) net_tech good. Any further questions? (17 Sep '13, 06:33) Kurt Knochner ♦ Yes, what can you do about traffic encrypted with a self-signed certs since you can’t export a private key for them? (17 Sep '13, 07:17) net_tech 1
Why can't you export the private key? That's only the case if you chose "make private key not exportable" while you imported the PKCS#12 file into the windows store. Anyway, if you imported it, you should have it somewhere else, so just use that PKCS#12 file. (17 Sep '13, 07:31) Kurt Knochner ♦ that's the problem. I didn't import the certificate, it was created and self signed by installation of Microsoft exchange and when you go to export it, private key is not an option. (17 Sep '13, 07:40) net_tech 1 well, then you're out of luck. The only option then is to instruct the client to print the SSL session keys (see the link in my answer). If the client is Outlook, then you're out of luck twice, because I don't believe there is a way to do that with Outlook. (17 Sep '13, 08:22) Kurt Knochner ♦ No, I am out of luck only once, because I can use any browser to access Outlook Web Access which would use the same cert to encrypt the traffic. And use Firefox to save the keys (17 Sep '13, 09:39) net_tech Well, then you are lucky again ;-) (17 Sep '13, 11:04) Kurt Knochner ♦ showing 5 of 8 show 3 more comments |
I think I found it under Edit - > Preferences.
SSL protocol allows to specify the path to the key in the following format 127.0.0.1,443,http,c:\path\to\snakeoil2.key
i.e. as specified in the SSL wiki page.