Wireshark Decryption of TLS V1.2

About

Asked 12/7, 2020 at 14:58 Answered 12/7, 2020 at 15:15

ssl encryption wireshark tls1.2

I have traffic between clients (which send XML over HTTPS) to my IIS.

I tried to decrypt the traffic using Wireshark and the following settings:

Adding the private key:

But even after setting this, I can't see the decrypted data:

Should I change any other settings to see the original data?

Freeborn answered 12/7, 2020 at 14:58 Comment(1)

If you control the client whose traffic you're interested in, you can use a key log file to decrypt the traffic with Wireshark. See this answer for instructions. – Narcolepsy 19/1, 2023 at 20:15

There is strong possibility that a Diffie-Hellman (DH) key exchange is being used here. In that case Wireshark cannot decipher SSL/TLs with a private key. You can check for this in the handshake packet.

From the Docs:

The RSA private key file can only be used in the following
circumstances:

The cipher suite selected by the server is not using (EC)DHE.

The protocol version is SSLv3, (D)TLS 1.0-1.2. It does not work with TLS 1.3.

The private key matches the server certificate. It does not work with the client certificate, nor the Certificate Authority (CA)
certificate.

The session has not been resumed. The handshake must include the ClientKeyExchange handshake message.

Afrikah answered 12/7, 2020 at 15:15 Comment(6)

Can you share what you see if you double click the fifth packet in that sequence ? – Afrikah 12/7, 2020 at 15:59

i see it now in the client key exchange, is there any other way to sniff and decrypt the traffic? – Freeborn 12/7, 2020 at 15:59

You might be able to use a pre-master secret key, but this requires a browser client. Here is a good walkthrough: comparitech.com/net-admin/decrypt-ssl-with-wireshark . – Afrikah 12/7, 2020 at 18:11

@developerlearn999: Just read the link provided in the answer. It tells you your options. Scroll down to "TLS Decryption" – Lasagne 12/7, 2020 at 18:13

The easiest (or perhaps hardest) thing to do is configure your client to only send RSA ciphersuites and hope that the server will choose one. – Lasagne 12/7, 2020 at 18:13

@developerlearn999: It is entirely dependent on the client, e.g. this question. You also need a server that will allow RSA ciphersuites. If you to focus on one, I would choose TLS_RSA_WITH_AES_128_CBC_SHA since it's the one ciphersuite mandated in TLS 1.2. – Lasagne 25/10, 2020 at 23:53

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags