Decrypt client-side SSL traffic in Wireshark generated by Java HttpsURLConnection

Asked 21/7, 2012 at 11:52 Answered 13/12, 2016 at 19:1

I am trying to use a GUI Java program written by someone else that is not behaving as I would expect. In the course of the program's operations, it contacts a server to pull data down, but it's not displaying the correct data. I am trying to establish whether the problem I am experiencing is network-related --- i.e. the right bits are never making it to the client.

Looking through the source code of the Java program, it appears to be using the HttpsURLConnection class to pull data from the server over SSL. What I would like to be able to do is inspect what is happening on the wire using Wireshark. My understanding is that Wireshark supports decrypting some SSL traffic if you have the relevant key(s). I do not control the server and so cannot access its private key. I do however control the client the program is running on. My question is, how in practice would I configure wireshark to decrypt the SSL traffic for the scenario I have just described? Is there a specific key HttpsURLConnection uses that I can add to Wireshark? Is there something else?

I should note that I have considered simply adding logging into the Java code base, but would ultimately prefer the ground truth of a packet capture over logging, as I might miss/omit something important in the logging of a code base I don't fully understand.

Liar answered 21/7, 2012 at 11:52 Comment(0)

As you don't have access to the server private key Wireshark can not be used for decrypting directly.

Even with the private key Wireshark can not decrypt the traffic in case a cipher with perfect forward secrecy (PFS) is used.

What you need is a Man-in-The-Middle proxy that acts like an SSL server from your application's perspective and from the server's perspective it works like the client.

The are a lot of programs who can operate as proxy, e.g Fiddler on .Net/Windows, Webscarab or BurpSuite (Java). For all those programs you need to export their used server certificate and add it as trusted certificate to your program e.g. by specifying a suitable trust store on command-line wehn starting your app (see Java property javax.net.ssl.trustStrore).

Detrusion answered 21/7, 2012 at 13:57 Comment(2)

If I'm not able to decrypt the data from the server without its private key via wireshark, how is the client application able to? – Etruria 28/5, 2013 at 13:9

That is done by a key agreement protocol. At the end of the agreement each party (client, server) knowns the secret but the secret itself is never transferred between them. See also Diffie–Hellman key exchange (Wikipedia) – Detrusion 28/5, 2013 at 14:16

You can extract the keys needed by Wireshark from any Java application using the extract-ssl-secrets tool.

Download the jar locally from https://repo1.maven.org/maven2/name/neykov/extract-ssl-secrets/1.0.0/extract-ssl-secrets-1.0.0.jar. Make sure you keep the file name the same - extract-ssl-secrets-1.0.0.jar.
Add -javaagent:<absolute path to>/extract-ssl-secrets-1.0.0.jar=/tmp/secrets.log" to the VM options of the application.
Start Wireshark with wireshark -o ssl.keylog_file:/tmp/secrets.log
Start capturing the traffic - it should be decrypted on-the-fly

See troubleshooting section if it doesn't work right out of the box.

Gabie answered 13/12, 2016 at 19:1 Comment(0)

Recommended topics

Hot tags