Reputation: 41
how to decrypt the TLS/SSL package content in wireshark pcapng log file?
I have PEM key and RSA key on hand, when I was trying to analysis the wireshark pcapng file which logged on my networking nodes, the tls encrypted tls/ssl package contents can NOT be decrypted as shown below:
The pem key info printed with openssl(x509) as shown below:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
17:.......................:5d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Seattle, O=changeme changeme Company, OU=IT, CN=changeme Corporate Issuing CA 01
Validity
Not Before: Sep 9 09:27:27 2019 GMT
Not After : Sep 8 09:27:27 2020 GMT
Subject: C=US, ST=DC, L=ST, O=changeme changeme Company, OU=IT, CN=cmeptgapp.changeme.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00..........................................d4:
..............
eb..........................................af:
44:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
FA:58:...................3C:88
X509v3 Authority Key Identifier:
keyid:AB:1......................................:21
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.changeme.com/pki/tdtd
Authority Information Access:
CA Issuers - URI:http://crl.changeme.com/pki/dtfh.crt
OCSP - URI:http://whoknows.changeme.com/whoknows
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3............d...
X509v3 Extended Key Usage:
TLS Web Server Authentication
1............10:
.
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.45807.509.1.2
CPS: http://nobody.changeme.com/policies/nobodykonows.html
X509v3 Subject Alternative Name:
DNS:cmeptgapp.changeme.net
Signature Algorithm: sha256WithRSAEncryption
05................................................:e4:
......................................................................
...................................................:7b
I have tried to decrypt the package content by:
1. edit the wireshark/preference/protocol/ssl/RSA key
2. editcap command
but unfortunately no one works, possibly I used the commands wrong. How to solve this problem?
Upvotes: 1
Views: 9262
Answers (1)
Reputation: 410
The client and server probably exchanged keys using perfect forward secrecy (such as ECDH, DHE-RSA, ECDHE-RSA or ECDHE-ECDSA). Check the previous two packets in the TLS session.
It is not possible to decrypt the TLS traffic if you only have the private RSA key when Diffie-Hellman key exchange is used. You will instead need to log the per-session secrets by using an SSLKEYLOGFILE, as explained in the Wireshark wiki TLS page.
Another option is to decrypt the TLS traffic using a TLS proxy like PolarProxy or SSLsplit.
Upvotes: 2
Related Questions
- Wireshark Decryption of TLS V1.2
- Decrypt TLS traffic from mobile application
- Decrypt TLS Traffic from PCAP
- Decrypting SSL/TLS traffic from a app with Wireshark
- How to view Encrypted Application Data in Wireshark
- Cannot decrypt HTTPS Traffic with Wireshark
- Decrypt client-side SSL traffic in Wireshark generated by Java HttpsURLConnection
- Decrypting HTTPS traffic in Wireshark not working
- How to read SSL/TLS Encrypted Alert code under Ephemeral RSA
- Is it possible to decrypt Wireshark packages using web browser certificates?