Marek Skrobacki

Decrypting SSL with Wireshark

Today I needed to troubleshoot a problem with some of the HTTPS requests being “lost” at the CSS loadbalancer during SSL termination. The problem was very weirdbecause it happened only if the request has been made using Firefox. Initially I was hoping that it will be a server or application level issue, but it turned out not to be the case. I could see packets going out of my machine and hitting the loadbalancer, but I didn’t see anything pass it.

I have collected independent packet captures and done some initial TCP analysis but it didn’t yield anything useful. I needed to come up with some solution that will give me ability to see unencrypted HTTP request in an encrypted stream. Given the fact that I have full access to private SSL keys it shouldn’t be a problem. Remembering one of the old BlackHat presentations that demoed sslstrip tool, I decided to look around if there is something that will be able to decrypt previously captured packets. There was no need to look far - it turns out that Wireshark supports SSL decryption natively.

How to decrypt SSL traffic with Wireshark

Step 1: Acquire private SSL key file in PEM format. In my case I had to export it to SFTP server from the loadbalancer. Ensure that you take proper care (and obviously you have necessary permissions) of the security of location you are exporting to as well as key itself.

Step 2: Place the key into a local directory on the machine you are running Wireshark on.

Step 3: Start your wireshark and load the packet capture with SSL data.

Note: It is absolutely required that capture contains full SSL handshake - which means no renegotiated sessions, etc. It is best to completely close the browser and restart it before running the capture.

Step 4: Open Preferences -> Protocols and go to “SSL”. From the right pane select “Edit” next to “RSA Keys list”.

Step 5: Complete the fields as follows:

  • IP address - that will be an IP address of the server that receives encrypted traffic.

  • Port - in most cases this will be just 443

  • Protocol - input ‘http’ as this will be wireshark dissector used to analyze decrypted traffic.

Step 6: Close all the windows by pressing OK and go back to packet file.

Step 7: If you right-click on any of the SSL encrypted packets and select “Follow SSL stream” you should see the whole transmission in plain-text.

Ssl Https Wireshark Decrypting Ssl Troubleshooting