Decrypting SSL traffic in wireshark

Unable to view descrypted SSL traffic in wirehark.
I am hosting a web application locally which is internally hitting an external https url...
I want to capture the raw data that is being sent to this url.
I am able to see the encrypted SSL data in the column with protocol TLSv1.2 and Application Data

My application is running on jetty server on https port 443. for which i have generated a keystore.jks file.
I decrypted the file to obtain a .pem file using the last two lines in  (Also decrypted this .pem file using openssl rsa -in private.pem -out ssl.key and used this in wireshark )
which i imported into wireshark -> preferences -> protocols -> SSL
as mentioned here :
in Method 1
But nothing happened.

Also i tried what is mentioned in method 2 . Still the same...
The sslkeylog file does contain several entries beginning with CLIENT_RANDOM
But i dont even see the decrypted SSL tab in wireshark.
Also if i perform Follow SSL Stream it shows a blank page...

How do i capture the unencrypted data.
Data is being send from my machine to an https url

Also here is the output of version of wireshark  --version command for reference:

wireshark --version
Wireshark 2.2.0 (v2.2.0-0-g5368c50 from master-2.2)

Copyright 1998-2016 Gerald Combs <> and contributors.
License GPLv2+: GNU GPL version 2 or later <>
This is free software; see the source for copying conditions. There is NO

Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with
GLib 2.36.0, with zlib 1.2.5, with SMI 0.4.8, with c-ares 1.10.0, with Lua
5.2.4, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP,
with QtMultimedia, without AirPcap.

Running on Mac OS X 10.11.4, build 15E65 (Darwin 15.4.0), with locale
en_US.UTF-8, with libpcap version 1.5.3 - Apple version 54, with GnuTLS 2.12.19,
with Gcrypt 1.5.0, with zlib 1.2.5.
Intel(R) Core(TM) i5-4278U CPU @ 2.60GHz (with SSE4.2)

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build

Open in new window

Rohit BajajAsked:
Who is Participating?
giltjrConnect With a Mentor Commented:
Sorry, somehow missed the e-mail that this was updated.

I need to look at this in more detail, but it looks like it is encrypting some of the SSL traffic.

The traffic that it is not decrypting looks like the SSL session started before the capture was running.  Wireshark must capture the whole SSL session.  You'll see messages like "ssl_restore_master_key can't find master secret by Session ID"

The other thing I have to check is which cipher's wireshark can decrypt.  Some of ciphers exchange the keys encrypted bacyed on a dynamically generated keypair instead of being encrypted with the public key from the certificate.
giltjrConnect With a Mentor Commented:
What do you see in the SSL Debug log?
Rohit BajajAuthor Commented:
where do i generate or find out the SSL Debug Log ?
Never miss a deadline with

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

On the same page where you tell Wireshark where you certs are there is a box to put in a log name.  Once you fill in the log name Wireshark will generate a log.
Rohit BajajAuthor Commented:
I have attached the ssl debug log
Rohit BajajAuthor Commented:
Hi any tips what could be missing in my setup or any ideas from logs ?
It looks like you started the capture after the SSL connection was up and running.

For one SSL connection you don't seem to have the correct private key.  Near the bottom of the debug log you can see "ssl_find_private_key_by_pubkey: lookup result: 0x0".  The result 0x0 means there was no private key found that matched the public key.
All Courses

From novice to tech pro — start learning today.