cancel
Showing results for 
Search instead for 
Did you mean: 
feickholt
Level 10

Capture SSL Traffic and decryt the traffic using Wireshark

Hi

Duing the last days I tried to decrypt captured SSl Traffic (Troubleshooting - Packet Capture).

I've configured SSL intercept and I can see in connection tracing this works as expected.

I exported the SSL Client Context - Certifacte Authority key and imported it into wireshark.

Then I tried to open a captured file,

But the SSL session is still encrypted.

Is there something I've forgotten?

Thanks

Frank

2 Replies
asabban
Level 17

Re: Capture SSL Traffic and decryt the traffic using Wireshark

Hi Frank,

I tried the same thing in the past but failed. I was given some hints which I actually never tried, but maybe they help you:

1) You have to use the domain key, not the CA key (for newer MWG versions this can be found under /opt/mwg/plugin/data/Proxy/ssl/serverkey????.pem)

2) Turn off DH-key exchange by adding “:!DH” to the cipher string of the ssl client context. (Of course not recommended)



feickholt
Level 10

Re: Capture SSL Traffic and decryt the traffic using Wireshark

Hi Andre,

thanks for your hints... :-)

You have to use both:

get the right CA key (128 or 256 bit depening on what RSA Key size you've configured in  your SSL client context) and turn off DiffieHellman. With DH wireshark has to fetch the dynamic key, which is not possible.

But there exists another solution :-)

At least using Chrome you are able to use Pre-Master Secrets. in such case you can use DH without knowing the keys.

By default, this key isn't logged anywhere but with Chrome it's possible to set an environment variable and have these written to disk.

  1. (Windows 7) Right click on 'My Computer' and then go to properties.Then click Advanced System Settings > Environment Variables. Then under system variables - create a new variable named SSLKEYLOGFILE with the value being a text file.
    In this case I went with C:\premaster.txt.
    Click OK through all open dialogs.
    You have to restart Chrome to get this working.

  2. Back in Wireshark, head to Edit > Preferences > Protocols > SSL. Under the option for '(Pre)Master-Secret log file name' - select your log file you created above (so C:\premaster.txt).
  3. Start your capture in Wireshark and then generate a few SSL connections in Chrome. Stop the capture when you're done.



Frank