I need to capture and decrypt https traffic from my exchange server.
I've exported the exchange server's SSL certificate, and loaded it into wireshark under the ssl protocol, but my packets still are not being decrypted.
18.104.22.168,443,http,C:certname.pfx, (no password)
Picking an example packet, I've grabbed a encrypted packet from my server responding to the client (#139) packet 139 in my capture remains encrypted I can go into "Decode As" and reselect Decode and SSL, but it still does not decode the SSL encrypted data. Looking through the log file for #139 I see:
As you can see, wireshark finds an association, but fails to find a decoder. I know it's the correct SSL certificate.
You'll need to look at the whole establishment. Probably a Diffie-Hellman cipher. Check for
answered 18 Oct '11, 13:54
There are a few things you need to take into account when decrypting SSL traffic.
First of all the key must be in PEM format or PKCS12 (with or without password). Did your ssl-debug file state that the key was successfully loaded?
Next, the full SSL handshake needs to be present in the trace so that the proper keys can be extracted. A reused SSL session (with a short handshake) does not provide the keying material and can therefor only be decrypted when the original full handshake is also present in the tracefile.
Then, as Jaap mentioned, when a DH cipher is used, the keying material is exchanged using the Diffie Hellman protocol which uses dynamically created keypairs instead of the server's public and private key. Therefor Wireshark is not able to decrypt these sessions.
Now to your issue. Please check whether the certificate is loaded successfully. Then check whether the full SSL handshake is present in your tracefile. It thsi does not solve your issue, it would help to see the full ssl-debug log.
answered 18 Oct '11, 15:24