Hello I'm debugging my SSL application and would be great if I could capture SSL stream using Wireshark and then follow it decrypted. It is not possible to obtain server's private key in my case

But as a client application I can read the whole stream fine and can dump all needed information for decryption, like Session-ID and Master-key, ex:

> openssl s_client -connect mail.google.com:443 -ssl3

Loading 'screen' into random state - done
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
No client certificate CA names sent
SSL handshake has read 1797 bytes and written 296 bytes
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : SSLv3
    Cipher    : RC4-SHA
    Session-ID: B5AEB800F43F96A9BAD007A5D26423E43479B904166FA72A4789DEA15A830E26
    Master-Key: 454AD3030F0AE8234508DF959EF533675E225BBB388EE5F80A20A007BAB63E1ABB972F39401796FB02F27AF95AB083A4
    Key-Arg   : None
    Start Time: 1306318364
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

Is it possible somehow to follow decrypted stream in Wireshark without server's private key but having client's Master-Key and Session-ID?

asked 25 May '11, 03:22

tosiara's gravatar image

accept rate: 0%

OK, forget my last answer... as of today, it is possible to use the "openssl s_client" output to do decryption. I added this to the keylog option that was already there. You can now use the format:

RSA Session-ID:xxxx Master-Key:xxxx

In the key log file to decrypt the session. In your case that would be:

RSA Session-ID:B5AEB800F43F96A9BAD007A5D26423E43479B904166FA72A4789DEA15A830E26 Master-Key:454AD3030F0AE8234508DF959EF533675E225BBB388EE5F80A20A007BAB63E1ABB972F39401796FB02F27AF95AB083A4

You will need to build your own version from "trunk" or use an automated build which will be available in a couple of hours. Please use a version with a number higher or equal to 37401.

I hope this works for you :-)


answered 25 May '11, 14:58

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Great, that works!!! Thank you very much!

Only one small note: if keylog file does not contain trailing CRLF I receive this error:

trying to use SSL keylog in c:\rsa.log checking keylog line: RSA Session-ID:451C00005EC950112D2156C2FDC29BB71A3CA320CEE28FC2DA786AD6F5E5102E Master-Key:DD81A0D7D526740CDEB1AB6DE421102F52C781547A06F6A6480D6055846BB7FFB8CCBCB09FC1A38CC4610135F0F17C4 line contains non-hex chars in master secret

But after adding CRLF at the end - all works perfect!

(26 May '11, 03:22) tosiara

I'm glad it works for you too :-)

Indeed the code requires all lines to be terminated with a newline character.

(26 May '11, 04:59) SYN-bit ♦♦

Although the s_client shows a Session-ID, this will be useless if it is not sent to the server (Session-ID 0 in the capture). You can still try to match a known master key with a request using CLIENT_RANDOM by looking at the traffic. See https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9144#c5 for parsing s_client output to generate a CLIENT_RANDOM line.

(14 Sep '13, 10:57) Lekensteyn

At the moment "No, not directly". There has been code added that reads in a file with a list of decrypted PreMasterSecrets, indexed by the first 8 bytes (IIRC) of the Encrypted PreMasterSecret. It has been added by a developer that also added a debug option to the SSL library of Firefox/Chrome to export this data (see Bug 4349)

So at the moment, you might be able to fabricate the file yourself based on the tracefile and the "openssl s_client" output. In the future there might be more options added to import/export session keys to make decryption possible without obtaining (or exposing) the private key.


answered 25 May '11, 07:15

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

I'm glad you knew this SYN..my knee-jerk reaction to this question was "No - never". It makes sense that this would be possible, but considering the work necessary on the user end I figured it would never be an option.

(25 May '11, 08:16) GeonJay

I'm sorry, the route of creating a keylog file yourself based on the openssl s_client output won't work. I just tried it myself, but the input from the key-log file is a PreMasterSecret, while the output of openssl s_cient is the MasterSecret.

I need to dig into SSL some more again to see whether the MasterSecret contains enough information to decrypt the session. If it does, then it is possible to extend the decryption engine to also take the MasterSecret from the s_client output. But someone needs to find the time to code it...

(25 May '11, 09:28) SYN-bit ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 25 May '11, 03:22

Seen: 29,885 times

Last updated: 14 Sep '13, 10:57

p​o​w​e​r​e​d by O​S​Q​A