This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decode SSL with server key

0

I am trying to decode a simple HTTPS session on wireshark 1.8.2 (sorry, it's a bit old). I have the server key file (no password). Went to wireshark preference for SSL and added an entry for RSA list: IP:port:protocol:KeyFile as 127.0.0.1:443:http:/home/user/server.key.

I thought I did everything right, but it just won't decrypt. Wonder what could have gone wrong. Thanks.

Here are the debug log and pcap file.

asked 07 Aug '15, 16:33

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%

One Answer:

1

The problem is shown here:

dissect_ssl3_hnd_srv_hello can't find cipher suite 0x9E

cipher suite 0x94 is a Diffie Hellman based cipher (DHE-RSA-AES128-GCM-SHA256). Due to the nature of Diffie Hellman, you can't decrypt the SSL traffic with only the private key of the server. Diffie Hellmann is made and used to prevent exactly that. This is not a limitation of Wireshark, it's how it is supposed to work.

If you want to decrypt the traffic, you would need the so called session keys, generated by the client (browser). Some browsers will export those keys if told to do so.

http://security.stackexchange.com/questions/35639/decrypting-tls-in-wireshark-when-using-dhe-rsa-ciphersuites
https://ask.wireshark.org/questions/37223/wireshark-decryption
https://ask.wireshark.org/questions/21011/decrypting-tls-messages-which-is-using-diffie-hellman-algorithm

Regards
Kurt

answered 11 Aug '15, 16:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%