Wireshark-users: Re: [Wireshark-users] how to decrypt TLSv1 traffic
From: "Nik Kolev" <nkolev@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 11 Jun 2008 11:20:11 -0400
> 
> > >
> > > I saw a blog post somewhere discussing that you can "pass" the
path
> to
> > > the file which stores the negotiated encryption key to wireshark
and
> > > (given that wireshark has been linked against a given library) get
> the
> > > encrypted payload decrypted. I don't know if this applies to my
> scenario
> > > (not sure whether IE writes the key to the file system,...)...
> >
> > With most ciphers (including the one that was chosen in the
> > displayed server-hello), wireshark can do the decryption when it
> > you supply the private key of the server (see the ssl protocol
> > preferences).
> 
> I need more help here.
> So I obtained the private RSA key, placed it under
> u:\ssl-keys\private-rsa.key and made the following entry in the SSL
> preferences' "RSA key list:" text field -
> 10.23.45.156,443,http,u:\ssl-keys\private-rsa.key
> 
> Then I started capturing packets but the http payload is still showing
> as encrypted data. Look below for the server hello and the app data
> messages. Poking in the dark, I also specified an SSL debug file, but
> nothing got dumped in there.

Actually I got a debug dump when I saved the capture to a file and
re-analyzed it in Wireshark:
ssl_init found host entry
10.23.45.156,443,http,U:\ssl-keys\prism-private-rsa.key
ssl_init addr 10.23.45.156 port 443 filename
U:\ssl-keys\prism-private-rsa.key
ssl_load_key: can't import pem data

And the key:
[nkolev@ws00665 ssl-keys]$ pwd
/cygdrive/u/ssl-keys
[nkolev@ws00665 ssl-keys]$ cat prism-private-rsa.key 
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCXJS...
<some more base64 encoding>
...Hm8WDJqCuird
-----END RSA PRIVATE KEY-----

[nkolev@ws00665 ssl-keys]$

I am pretty sure the RSA key is not password protected, but don't know
why I am getting "ssl_load_key: can't import pem data"????
-nik