Solved

Decrypting SSL traffic in wireshark

Posted on 2016-10-03
7
261 Views
Last Modified: 2016-11-30
Unable to view descrypted SSL traffic in wirehark.
I am hosting a web application locally which is internally hitting an external https url...
I want to capture the raw data that is being sent to this url.
I am able to see the encrypted SSL data in the column with protocol TLSv1.2 and Application Data

My application is running on jetty server on https port 443. for which i have generated a keystore.jks file.
I decrypted the file to obtain a .pem file using the last two lines in
http://crishantha.com/wp/?p=445  (Also decrypted this .pem file using openssl rsa -in private.pem -out ssl.key and used this in wireshark )
which i imported into wireshark -> preferences -> protocols -> SSL
as mentioned here :
http://www.root9.net/2012/11/ssl-decryption-with-wireshark-private.html
in Method 1
But nothing happened.

Also i tried what is mentioned in method 2 . Still the same...
The sslkeylog file does contain several entries beginning with CLIENT_RANDOM
But i dont even see the decrypted SSL tab in wireshark.
Also if i perform Follow SSL Stream it shows a blank page...

How do i capture the unencrypted data.
Data is being send from my machine to an https url

Also here is the output of version of wireshark  --version command for reference:

wireshark --version
Wireshark 2.2.0 (v2.2.0-0-g5368c50 from master-2.2)

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with
GLib 2.36.0, with zlib 1.2.5, with SMI 0.4.8, with c-ares 1.10.0, with Lua
5.2.4, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP,
with QtMultimedia, without AirPcap.

Running on Mac OS X 10.11.4, build 15E65 (Darwin 15.4.0), with locale
en_US.UTF-8, with libpcap version 1.5.3 - Apple version 54, with GnuTLS 2.12.19,
with Gcrypt 1.5.0, with zlib 1.2.5.
Intel(R) Core(TM) i5-4278U CPU @ 2.60GHz (with SSE4.2)

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).

Open in new window

Thanks
0
Comment
Question by:Rohit Bajaj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 41827366
What do you see in the SSL Debug log?
0
 

Author Comment

by:Rohit Bajaj
ID: 41827496
where do i generate or find out the SSL Debug Log ?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41828196
On the same page where you tell Wireshark where you certs are there is a box to put in a log name.  Once you fill in the log name Wireshark will generate a log.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Rohit Bajaj
ID: 41831147
HI,
I have attached the ssl debug log
ssl-debug.log
0
 

Author Comment

by:Rohit Bajaj
ID: 41843206
Hi any tips what could be missing in my setup or any ideas from logs ?
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 41843507
Sorry, somehow missed the e-mail that this was updated.

I need to look at this in more detail, but it looks like it is encrypting some of the SSL traffic.

The traffic that it is not decrypting looks like the SSL session started before the capture was running.  Wireshark must capture the whole SSL session.  You'll see messages like "ssl_restore_master_key can't find master secret by Session ID"

The other thing I have to check is which cipher's wireshark can decrypt.  Some of ciphers exchange the keys encrypted bacyed on a dynamically generated keypair instead of being encrypted with the public key from the certificate.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41843522
It looks like you started the capture after the SSL connection was up and running.

For one SSL connection you don't seem to have the correct private key.  Near the bottom of the debug log you can see "ssl_find_private_key_by_pubkey: lookup result: 0x0".  The result 0x0 means there was no private key found that matched the public key.
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question