> >
> > I saw a blog post somewhere discussing that you can "pass" the path
to
> > the file which stores the negotiated encryption key to wireshark and
> > (given that wireshark has been linked against a given library) get
the
> > encrypted payload decrypted. I don't know if this applies to my
scenario
> > (not sure whether IE writes the key to the file system,...)...
>
> With most ciphers (including the one that was chosen in the
> displayed server-hello), wireshark can do the decryption when it
> you supply the private key of the server (see the ssl protocol
> preferences).
I need more help here.
So I obtained the private RSA key, placed it under
u:\ssl-keys\private-rsa.key and made the following entry in the SSL
preferences' "RSA key list:" text field -
10.23.45.156,443,http,u:\ssl-keys\private-rsa.key
Then I started capturing packets but the http payload is still showing
as encrypted data. Look below for the server hello and the app data
messages. Poking in the dark, I also specified an SSL debug file, but
nothing got dumped in there.
What an I doing wrong?
Thanks, -nik
ServerHello:
No. Time Source Destination Protocol
Info
528 7.392184 10.23.45.156 10.67.91.122 TLSv1
Server Hello, Change Cipher Spec, Encrypted Handshake Message
Frame 528 (176 bytes on wire, 176 bytes captured)
Ethernet II, Src: Cisco_75:9c:66 (00:0f:f7:75:9c:66), Dst: Dell_56:ac:09
(00:12:3f:56:ac:09)
Internet Protocol, Src: 10.23.45.156 (10.23.45.156), Dst: 10.67.91.122
(10.67.91.122)
Transmission Control Protocol, Src Port: https (443), Dst Port: mpfoncl
(2579), Seq: 1, Ack: 103, Len: 122
Source port: https (443)
Destination port: mpfoncl (2579)
Sequence number: 1 (relative sequence number)
[Next sequence number: 123 (relative sequence number)]
Acknowledgement number: 103 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
Window size: 5840
Checksum: 0x23a9 [correct]
Secure Socket Layer
TLSv1 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 74
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 70
Version: TLS 1.0 (0x0301)
Random
Session ID Length: 32
Session ID:
4DCE1754CFEA43FBA9722F0EB3583DCCDAEEC601285B23F7...
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Compression Method: null (0)
TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.0 (0x0301)
Length: 1
Change Cipher Spec Message
TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 32
Handshake Protocol: Encrypted Handshake Message
AppData:
No. Time Source Destination Protocol
Info
644 7.410697 10.23.45.156 10.67.91.122 TLSv1
Application Data
Frame 644 (426 bytes on wire, 426 bytes captured)
Ethernet II, Src: Cisco_75:9c:66 (00:0f:f7:75:9c:66), Dst: Dell_56:ac:09
(00:12:3f:56:ac:09)
Internet Protocol, Src: 10.23.45.156 (10.23.45.156), Dst: 10.67.91.122
(10.67.91.122)
Transmission Control Protocol, Src Port: https (443), Dst Port: mpfoncl
(2579), Seq: 123, Ack: 78351, Len: 372
Source port: https (443)
Destination port: mpfoncl (2579)
Sequence number: 123 (relative sequence number)
[Next sequence number: 495 (relative sequence number)]
Acknowledgement number: 78351 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
Window size: 32767
Checksum: 0x46af [correct]
Secure Socket Layer
TLSv1 Record Layer: Application Data Protocol: http
Content Type: Application Data (23)
Version: TLS 1.0 (0x0301)
Length: 367
Encrypted Application Data:
8DB3F75B5A80A50CB11FC4FE15EF6E061A060CAE5C985CF0...
