?
Solved

Decrypting SSL traffic in wireshark

Posted on 2016-10-03
7
Medium Priority
?
419 Views
Last Modified: 2016-11-30
Unable to view descrypted SSL traffic in wirehark.
I am hosting a web application locally which is internally hitting an external https url...
I want to capture the raw data that is being sent to this url.
I am able to see the encrypted SSL data in the column with protocol TLSv1.2 and Application Data

My application is running on jetty server on https port 443. for which i have generated a keystore.jks file.
I decrypted the file to obtain a .pem file using the last two lines in
http://crishantha.com/wp/?p=445  (Also decrypted this .pem file using openssl rsa -in private.pem -out ssl.key and used this in wireshark )
which i imported into wireshark -> preferences -> protocols -> SSL
as mentioned here :
http://www.root9.net/2012/11/ssl-decryption-with-wireshark-private.html
in Method 1
But nothing happened.

Also i tried what is mentioned in method 2 . Still the same...
The sslkeylog file does contain several entries beginning with CLIENT_RANDOM
But i dont even see the decrypted SSL tab in wireshark.
Also if i perform Follow SSL Stream it shows a blank page...

How do i capture the unencrypted data.
Data is being send from my machine to an https url

Also here is the output of version of wireshark  --version command for reference:

wireshark --version
Wireshark 2.2.0 (v2.2.0-0-g5368c50 from master-2.2)

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with
GLib 2.36.0, with zlib 1.2.5, with SMI 0.4.8, with c-ares 1.10.0, with Lua
5.2.4, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP,
with QtMultimedia, without AirPcap.

Running on Mac OS X 10.11.4, build 15E65 (Darwin 15.4.0), with locale
en_US.UTF-8, with libpcap version 1.5.3 - Apple version 54, with GnuTLS 2.12.19,
with Gcrypt 1.5.0, with zlib 1.2.5.
Intel(R) Core(TM) i5-4278U CPU @ 2.60GHz (with SSE4.2)

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).

Open in new window

Thanks
0
Comment
Question by:Rohit Bajaj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 2000 total points
ID: 41827366
What do you see in the SSL Debug log?
0
 

Author Comment

by:Rohit Bajaj
ID: 41827496
where do i generate or find out the SSL Debug Log ?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41828196
On the same page where you tell Wireshark where you certs are there is a box to put in a log name.  Once you fill in the log name Wireshark will generate a log.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:Rohit Bajaj
ID: 41831147
HI,
I have attached the ssl debug log
ssl-debug.log
0
 

Author Comment

by:Rohit Bajaj
ID: 41843206
Hi any tips what could be missing in my setup or any ideas from logs ?
0
 
LVL 57

Accepted Solution

by:
giltjr earned 2000 total points
ID: 41843507
Sorry, somehow missed the e-mail that this was updated.

I need to look at this in more detail, but it looks like it is encrypting some of the SSL traffic.

The traffic that it is not decrypting looks like the SSL session started before the capture was running.  Wireshark must capture the whole SSL session.  You'll see messages like "ssl_restore_master_key can't find master secret by Session ID"

The other thing I have to check is which cipher's wireshark can decrypt.  Some of ciphers exchange the keys encrypted bacyed on a dynamically generated keypair instead of being encrypted with the public key from the certificate.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41843522
It looks like you started the capture after the SSL connection was up and running.

For one SSL connection you don't seem to have the correct private key.  Near the bottom of the debug log you can see "ssl_find_private_key_by_pubkey: lookup result: 0x0".  The result 0x0 means there was no private key found that matched the public key.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question