Wireshark-users: Re: [Wireshark-users] how to decrypt TLSv1 traffic
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: "Nik Kolev" <nkolev@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 11 Jun 2008 10:44:05 -0400
> >
> > I saw a blog post somewhere discussing that you can "pass" the path
to
> > the file which stores the negotiated encryption key to wireshark and
> > (given that wireshark has been linked against a given library) get
the
> > encrypted payload decrypted. I don't know if this applies to my
scenario
> > (not sure whether IE writes the key to the file system,...)...
> 
> With most ciphers (including the one that was chosen in the
> displayed server-hello), wireshark can do the decryption when it
> you supply the private key of the server (see the ssl protocol
> preferences).

I need more help here.
So I obtained the private RSA key, placed it under
u:\ssl-keys\private-rsa.key and made the following entry in the SSL
preferences' "RSA key list:" text field -
10.23.45.156,443,http,u:\ssl-keys\private-rsa.key

Then I started capturing packets but the http payload is still showing
as encrypted data. Look below for the server hello and the app data
messages. Poking in the dark, I also specified an SSL debug file, but
nothing got dumped in there.

What an I doing wrong?
Thanks, -nik

ServerHello:
No.     Time        Source                Destination           Protocol
Info
    528 7.392184    10.23.45.156          10.67.91.122          TLSv1
Server Hello, Change Cipher Spec, Encrypted Handshake Message

Frame 528 (176 bytes on wire, 176 bytes captured)
Ethernet II, Src: Cisco_75:9c:66 (00:0f:f7:75:9c:66), Dst: Dell_56:ac:09
(00:12:3f:56:ac:09)
Internet Protocol, Src: 10.23.45.156 (10.23.45.156), Dst: 10.67.91.122
(10.67.91.122)
Transmission Control Protocol, Src Port: https (443), Dst Port: mpfoncl
(2579), Seq: 1, Ack: 103, Len: 122
    Source port: https (443)
    Destination port: mpfoncl (2579)
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 123    (relative sequence number)]
    Acknowledgement number: 103    (relative ack number)
    Header length: 20 bytes
    Flags: 0x18 (PSH, ACK)
    Window size: 5840
    Checksum: 0x23a9 [correct]
Secure Socket Layer
    TLSv1 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 74
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 70
            Version: TLS 1.0 (0x0301)
            Random
            Session ID Length: 32
            Session ID:
4DCE1754CFEA43FBA9722F0EB3583DCCDAEEC601285B23F7...
            Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
            Compression Method: null (0)
    TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
        Content Type: Change Cipher Spec (20)
        Version: TLS 1.0 (0x0301)
        Length: 1
        Change Cipher Spec Message
    TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 32
        Handshake Protocol: Encrypted Handshake Message

AppData:
No.     Time        Source                Destination           Protocol
Info
    644 7.410697    10.23.45.156          10.67.91.122          TLSv1
Application Data

Frame 644 (426 bytes on wire, 426 bytes captured)
Ethernet II, Src: Cisco_75:9c:66 (00:0f:f7:75:9c:66), Dst: Dell_56:ac:09
(00:12:3f:56:ac:09)
Internet Protocol, Src: 10.23.45.156 (10.23.45.156), Dst: 10.67.91.122
(10.67.91.122)
Transmission Control Protocol, Src Port: https (443), Dst Port: mpfoncl
(2579), Seq: 123, Ack: 78351, Len: 372
    Source port: https (443)
    Destination port: mpfoncl (2579)
    Sequence number: 123    (relative sequence number)
    [Next sequence number: 495    (relative sequence number)]
    Acknowledgement number: 78351    (relative ack number)
    Header length: 20 bytes
    Flags: 0x18 (PSH, ACK)
    Window size: 32767
    Checksum: 0x46af [correct]
Secure Socket Layer
    TLSv1 Record Layer: Application Data Protocol: http
        Content Type: Application Data (23)
        Version: TLS 1.0 (0x0301)
        Length: 367
        Encrypted Application Data:
8DB3F75B5A80A50CB11FC4FE15EF6E061A060CAE5C985CF0...