Duing the last days I tried to decrypt captured SSl Traffic (Troubleshooting - Packet Capture).
I've configured SSL intercept and I can see in connection tracing this works as expected.
I exported the SSL Client Context - Certifacte Authority key and imported it into wireshark.
Then I tried to open a captured file,
But the SSL session is still encrypted.
Is there something I've forgotten?
I tried the same thing in the past but failed. I was given some hints which I actually never tried, but maybe they help you:
1) You have to use the domain key, not the CA key (for newer MWG versions this can be found under /opt/mwg/plugin/data/Proxy/ssl/serverkey????.pem)
2) Turn off DH-key exchange by adding “:!DH” to the cipher string of the ssl client context. (Of course not recommended)
thanks for your hints... :-)
You have to use both:
get the right CA key (128 or 256 bit depening on what RSA Key size you've configured in your SSL client context) and turn off DiffieHellman. With DH wireshark has to fetch the dynamic key, which is not possible.
But there exists another solution :-)
At least using Chrome you are able to use Pre-Master Secrets. in such case you can use DH without knowing the keys.
By default, this key isn't logged anywhere but with Chrome it's possible to set an environment variable and have these written to disk.