Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Wireshark-users: Re: [Wireshark-users] SSL decryption -- RSA Key format

Date Index Thread Index Other Months All Mailing Lists

Date Prev Date Next Thread Prev Thread Next

From: Vijay Sitaram <vjatfugen@xxxxxxxxx>
Date: Wed, 1 Nov 2006 19:23:32 -0800 (PST)

Hi Brian,

Thanks for confirming that SSL decryption worked. So far I have not been able to get the decryption working on my end.

Can you please confirm the version of gnutls and libgcrypt that you are using? Also, it would be great if you can copy and paste the output from ssldebug.txt.

Kind regards,

Vijay

"Baker, Brian" <brian@xxxxxxxxxxxxxxxxxxxxx> wrote:

I was using the Wireshark GUI (on Win32). The steps you listed below were the same ones I had seen elsewhere and they worked correctly.

Brian Baker

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Vijay Sitaram
Sent: Friday, October 27, 2006 7:12 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] SSL decryption -- RSA Key format

Are you using Wireshark or the command line 'tshark' for this decryption? I have been trying to decrypt SSL traffic for the last couple of weeks but have not been successful as of yet.

Here are the steps to export an IIS certificate to a private key file:

Click on View Certificate under Directory Security tab (when viewing the Defaul Web Site Properties).

Click on Details tab and Copy To File

Click on Next for the Certificate Export wizard.

Choose Yes under Export Private Key option and click on Next.

Uncheck Enable strong protection option and click on Next.

Click on Next on the password dialog (don't enter a password).

Enter a file name such as C:\Temp\www.something.com-w3svc.pfx and click on Next.

Click on Finish and Click on OK.

Copy the exported file to a machine running OpenSSL and execute the following command:

openssl pkcs12 -in /path/to/www.something.com-w3svc.pfx -out /path/to/www.something.com-w3svc-Key.pem -nodes -nocerts

In theory you should then be able to use a command such as the follows to decrypt SSL traffic:

tshark -V -r rsasnakeoil2.cap -o "ssl.keys_list: 127.0.0.1,443,http,/path/to/snakeoil2/rsasnakeoil2.key" -o "ssl.debug_file: /path/to/snakeoil2/ssldebug.txt" > output.txt

Please let share your experiences if your decryption attempts are successfull.

Kind regards,

Vijay

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

Get your email and see which of your friends are online - Right on the new Yahoo.com

Follow-Ups:
- Re: [Wireshark-users] SSL decryption -- RSA Key format
  - From: Baker, Brian

References:
- Re: [Wireshark-users] SSL decryption -- RSA Key format
  - From: Baker, Brian

Prev by Date: Re: [Wireshark-users] SSL decryption -- RSA Key format
Next by Date: Re: [Wireshark-users] TCP Decoding differences between Ethereal0.99 and Wireshark 0.99.3/4?
Previous by thread: Re: [Wireshark-users] SSL decryption -- RSA Key format
Next by thread: Re: [Wireshark-users] SSL decryption -- RSA Key format
Index(es):
- Date
- Thread