Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] how to decrypt TLSv1 traffic

From: "Nik Kolev" <nkolev@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 9 Jun 2008 16:23:49 -0400

Hi,

 

I am wondering whether the TLSv1 traffic for the webapp I am working on can be decrypted. More precisely I am interested in decrypting the traffic that contains HTTP messages.

 

Here’s the environment info:

o IE (but I can use Firefox if needed) talking to a JBoss-contained webapp

o all traffic over SSL (TLSv1)

o TLS’s “Server Hello”-message says:

Secure Socket Layer

    TLSv1 Record Layer: Handshake Protocol: Server Hello

        Content Type: Handshake (22)

        Version: TLS 1.0 (0x0301)

        Length: 74

        Handshake Protocol: Server Hello

            Handshake Type: Server Hello (2)

            Length: 70

            Version: TLS 1.0 (0x0301)

            Random

            Session ID Length: 32

            Session ID: DFC934A0A89626A9FF048DBC2D9B9595EFE88AFEB078E06D...

            Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

            Compression Method: null (0)

 

I saw a blog post somewhere discussing that you can “pass” the path to the file which stores the negotiated encryption key to wireshark and (given that wireshark has been linked against a given library) get the encrypted payload decrypted. I don’t know if this applies to my scenario (not sure whether IE writes the key to the file system,…)…

 

Thanks for your help,

-nik