How to Decrypt SSL and TLS Traffic using Wireshark

How to Decrypt SSL and TLS Traffic using Wireshark

http://support.citrix.com/article/ctx116557

Summary

This article describes how to decrypt SSL and TLS traffic using the Wireshark Network Protocol Analyser.

Requirements

• An understanding and general knowledge of:

• Network Traces

• Networking, TCP/IP and SSL/TLS protocols

• Certificates and the use of Public & Private Keys

• The Wireshark Network Protocol Analyser

• Wireshark software compiled with SSL decryption support

• Decrypted private key of the server or appliance in PKCS#8 PEM format (RSA)

Background

In Wireshark, the SSL dissector is fully functional and supports advanced features such as decryption of SSL, if the encryption key is provided. This is useful when troubleshooting Citrix products that use SSL or TLS encryption.

Procedure

Wireshark Settings

• Start Wireshark and open the network capture (encrypted SSL must be similar to the following screenshot).

• From the menu select Edit > Preferences.

• Expand Protocols in the Preferences window.

• Scroll down and select SSL.

• Enter the following information in the RSA keys list field, in the format <ip>,<port>,<protocol>,<key_file_name> (refer to the previous screenshot).
  Where:
  <ip> is the IP Address of the server / appliance with the private key
  <port> is usually 443 for SSL/TLS
  <protocol> is usually HTTP
  <key_file_name> is the location and file name of the private key
  Note: There are no spaces between the commas. Also, using semicolons to separate the entries, a list of private RSA keys can be entered and used for decryption.
  “<ip>,<port>,<protocol>,<key_file_name>;<ip>,<port>,<protocol>,<key_file_name>;<ip>,<port>,<protocol>,<key_file_name>”.

• Enter a location and file name for a debug file in the SSL debug file field.

• Select OK.

• Decrypt the SSL traffic now (decrypted SSL must be similar to the following screenshot).

Private Key Format

Wireshark can decrypt SSL traffic provided that you have the private key. The private key has to be in a decrypted PKCS#8 PEM format (RSA)format. You can open and look inside your key file. If it is in binary, then it is likely to be in a DER format, which cannot be used with Wireshark.

You can use OpenSSL to convert the key. For example, converting a PKCS#8 DER key to a decrypted PKCS#8 PEM format (RSA) key, at the $prompt enter the following command:

openssl pkcs8 -nocrypt -in der.key -informat DER -out pem.key -outformat PEM

Where:

der.key is the file name and path to the DER key file

pem.key is the file name and path to the PEM key file output

The Decrypted PKCS#8 PEM format (RSA) key must be similar to the following image:

Note that the key begins with:

-----BEGIN RSA PRIVATE KEY-----

If it begins with:

-----BEGIN ENCRYPTED PRIVATE KEY-----

Then the key is encrypted and needs to be decrypted with the right passphrase. You can use OpenSSL to do this.

• At the $ prompt, enter the command:
  openssl rsa
  If you enter this command without arguments, you are prompted as follows:
  read RSA key

• Enter the name of the key file to be decrypted.
  You can enter the openssl rsa command with arguments if you know the name of the private key and the decrypted PEM file.
  For example, if the private key filename is myprivkey.pvk and the decrypted filename is keyout.pem, the command is:
  openssl rsa �Cin myprivkeypvk -out keyout.pem

More Information

http://www.wireshark.org/

http://wiki.wireshark.org/SSL

http://www.wireshark.org/docs/dfref/s/ssl.html

http://www.openssl.org/docs/apps/rsa.html#EXAMPLES

http://sourceforge.net/project/showfiles.php?group_id=23617&release_id=4880