This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decrypting SSL

0

I am using wireshark 1.6. I am trying to decrypt an SSL stream on a capture from one of our production servers. I have a capture taken from that server. I have the key extacted in pks format. I have converted it to pkcs12 and then RSA to remove the password. I also tried onverting to pcks8 but no luck. I configured my ssl preferences to "serveraddress,443,http,c:certcc.pem". I also tried adding it to the RSA key list in multiple formats.

All of the examples I find reference creating your own cert but I dont see how this would work in a production environment that is using a verisign cert.

What am I missing?

asked 22 Jun '11, 19:20

ericinsd's gravatar image

ericinsd
1232
accept rate: 0%


One Answer:

2

First of all, a bug has been reported with version 1.6.0 which seems to indicate that Wireshark needs to be restarted before the SSL settings take effect (which was not necessary before), but I haven't verified that yet.

Then, there might be other reasons why SSL decryption does not work for you. Here are the most common ones:

  1. The private key is not in the right format or does not match the certificate from the server.
  2. The SSL session was reused and the full SSL handshake is not in the tracefile.
  3. A DH cipher has been chosen by the server.

You might want to check the presentation I have given at Sharkfest'09 about troubleshooting SSL with Wireshark.

answered 23 Jun '11, 05:54

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thank you. It does appear that Wireshark does need to be restarted. By adding the original pfx file with its password to the RSA key list I was successful.

I now see all of the data returned by our application but I do not see the full post from the client. Is this normal?

Thank you! Eric

(23 Jun '11, 07:16) ericinsd

(converted your answer to a comment, see the FAQ)

Glad you got a step further. However, you should be able to see both client and server traffic decrypted, so something else is still not OK. Are you able to share the trace and the key? Or is it not from a test environment? If you want to, you can send them to me privately (see my profile for my address).

(23 Jun '11, 08:37) SYN-bit ♦♦

It is from a Production application that contains NPPI so...unfortunately I cannot. It is actually a system to system interface that posts and XML request and returns an XML response. I actually see the post.....but not the request contained in the post. The client communication looks like this:

POST /CGI-BIN/CCListener.exe HTTP/1.1

Content-type: text/xml

OPTR_CXT: 01000100000f62ef4d-7401-48ea-b24e-76f89de5a1472c5c5b42-1a87-4076-92e0-2a31ee74396a2266 HTTP ;

User-Agent: Jakarta Commons-HttpClient/2.0final

Host: www.I obscured the URL.com

Content-Length: 1504

After this I see our server's resonse but I dont see the data that was posted? Our system could not generate a reply unless it received a request with the above post

(23 Jun '11, 10:12) ericinsd

(converted your "answer" to a "comment" again, please review the FAQ)

You might want to fiddle with the SSL and HTTP protocol preferences regarding reassembly. Also, it might be a bug in Wireshark. Are there more POST requests with data in the same TCP session? Do subsequent requests show as "Application Data"?

(23 Jun '11, 12:02) SYN-bit ♦♦