Wireshark-dev: Re: [Wireshark-dev] decrypting SSL traffic that goes through an SSL terminating
From: "DePriest, Jason R." <[email protected]>
Date: Fri, 8 Feb 2008 20:38:45 +0000
On Feb 8, 2008 8:49 AM, Sake Blok <> wrote:
> On Thu, Feb 07, 2008 at 11:40:12PM -0600, DePriest, Jason R. wrote:
> >
> > Has anyone had experience with Blue Coat's in general for this sort of
> > thing?  I can see the keyring that Blue Coat is configured to use and
> > the encrypted form of *a* key.  Even after putting it in a file and
> > converting it using openssl command-line tools into a form that
> > Wireshark should read, I get errors.
>
> Is this proxy a transparent proxy (client opens connection to
> the ip address of the website, but is redirected somehow to the
> proxy) or a full proxy (client opens connection to the proxy
> ip address).
>
> In case it is a full proxy, have you tried using the following
> in the ssl protocol settings?
>
> <ip-of-proxy>,<proxy-port>,http,<keyfile>
>
> Cheers,
>     Sake
> _________

It is a full proxy auto-configured by PAC using a wpad.dat file.

I had already tried the exact syntax you propose.  The problem seems
to be getting the right <keyfile> from the proxy.

ssl_init keys string:
10.70.4.5,8080,http,C:\Program Files\Wireshark\proxy-key.pem
ssl_init found host entry 10.70.4.5,8080,http,C:\Program
Files\Wireshark\proxy-key.pem
ssl_init addr 10.70.4.5 port 8080 filename C:\Program
Files\Wireshark\proxy-key.pem
ssl_load_key: can't import pem data
association_find: TCP port 443 found 02CBE558
ssl_association_remove removing TCP 443 - http handle 0296B868
association_add TCP port 443 protocol http handle 0296B868
association_find: TCP port 636 found 02CBE808
ssl_association_remove removing TCP 636 - ldap handle 02A08A50
association_add TCP port 636 protocol ldap handle 02A08A50
association_find: TCP port 993 found 02CBE908
ssl_association_remove removing TCP 993 - imap handle 02445280
association_add TCP port 993 protocol imap handle 02445280
association_find: TCP port 995 found 02CBEEB8
ssl_association_remove removing TCP 995 - pop handle 02A55200
association_add TCP port 995 protocol pop handle 02A55200

dissect_ssl enter frame #58 (first time)
ssl_session_init: initializing ptr 04843900 size 564
association_find: TCP port 1365 found 00000000
packet_from_server: is from server - FALSE
dissect_ssl server 10.70.4.5:8080
dissect_ssl can't find private key for this server!
client random len: 16 padded to 32

I'll try to come up with a good way to explain how I think the proxy
does what it does and send it to the list.

Thanks.

-Jason