I am looking for a way to decrypt non-browser based traffic (i.e. e-mail, Citrix ICA, SFTP) on my local machine utilizing pre-master secrets. I know this is possible when utilizing the SSLKEYLOGFILE as described here, http://www.root9.net/2012/11/ssl-decryption-with-wireshark-private.html.
The above link only appears to work for browser based traffic. My question is, how can I do the same level of decryption using Wireshark and pre-master secrets for non-browser based traffic?
Thank you for the help!
asked 12 Jan '14, 09:33
How are you going to get the session keys? The applications you mentioned (most certainly) won't export the session keys, as some browsers do!?!
answered 12 Jan '14, 10:36
Kurt Knochner ♦
First you will have to find out which of these communication methods use ssl/tls for encryption at all. sftp definitely doesn't, I don't know about the others. The you will need to find out which library is being used to implement ssl/tls. If that library is loaded dynamically, create you own copy of that library and add code to export the (pre-) master secret. Build and the modified lib and replace the existing one with your own build.
answered 12 Jan '14, 14:37
SFTP does not use SSL/TLS but SSH, that cannot be decrypted with the same methods as SSL.
The link you gave is dead, but it was likely describing a method where you run a NSS browser (Firefox) with
For applications not using NSS, but OpenSSL, you can use a debugger or interpose the SSL library as documented here. Whether it is HTTP, SMTP, IMAP or FTP, these all use SSL for transport encryption so the same methods apply.
answered 16 Feb '15, 00:11