2 Replies Latest reply on Dec 16, 2014 3:18 AM by feickholt

    Capture SSL Traffic and decryt the traffic using Wireshark

    feickholt

      Hi

      Duing the last days I tried to decrypt captured SSl Traffic (Troubleshooting - Packet Capture).

       

      I've configured SSL intercept and I can see in connection tracing this works as expected.

      I exported the SSL Client Context - Certifacte Authority key and imported it into wireshark.

      Then I tried to open a captured file,

      But the SSL session is still encrypted.

       

      Is there something I've forgotten?

       

      Thanks

      Frank

        • 1. Re: Capture SSL Traffic and decryt the traffic using Wireshark
          asabban

          Hi Frank,

           

          I tried the same thing in the past but failed. I was given some hints which I actually never tried, but maybe they help you:

           

          1) You have to use the domain key, not the CA key (for newer MWG versions this can be found under /opt/mwg/plugin/data/Proxy/ssl/serverkey????.pem)

           

          2) Turn off DH-key exchange by adding “:!DH” to the cipher string of the ssl client context. (Of course not recommended)



          • 2. Re: Capture SSL Traffic and decryt the traffic using Wireshark
            feickholt

            Hi Andre,

             

            thanks for your hints... :-)

             

            You have to use both:

            get the right CA key (128 or 256 bit depening on what RSA Key size you've configured in  your SSL client context) and turn off DiffieHellman. With DH wireshark has to fetch the dynamic key, which is not possible.

             

            But there exists another solution :-)

            At least using Chrome you are able to use Pre-Master Secrets. in such case you can use DH without knowing the keys.

             

            By default, this key isn't logged anywhere but with Chrome it's possible to set an environment variable and have these written to disk.

            1. (Windows 7) Right click on 'My Computer' and then go to properties.Then click Advanced System Settings > Environment Variables. Then under system variables - create a new variable named SSLKEYLOGFILE with the value being a text file.
              In this case I went with C:\premaster.txt.
              Click OK through all open dialogs.
              You have to restart Chrome to get this working.

            2. Back in Wireshark, head to Edit > Preferences > Protocols > SSL. Under the option for '(Pre)Master-Secret log file name' - select your log file you created above (so C:\premaster.txt).
            3. Start your capture in Wireshark and then generate a few SSL connections in Chrome. Stop the capture when you're done.



            Frank