Wireshark-dev: Re: [Wireshark-dev] decrypting SSL traffic that goes through an SSL terminating
From: Sake Blok <[email protected]>
Date: Sat, 9 Feb 2008 00:11:28 +0100
On Fri, Feb 08, 2008 at 08:38:45PM +0000, DePriest, Jason R. wrote:
> On Feb 8, 2008 8:49 AM, Sake Blok <> wrote:
> > On Thu, Feb 07, 2008 at 11:40:12PM -0600, DePriest, Jason R. wrote:
> >
> > In case it is a full proxy, have you tried using the following
> > in the ssl protocol settings?
> >
> > <ip-of-proxy>,<proxy-port>,http,<keyfile>
> 
> It is a full proxy auto-configured by PAC using a wpad.dat file.
> 
> I had already tried the exact syntax you propose.  The problem seems
> to be getting the right <keyfile> from the proxy.
> 
> ssl_init keys string:
> 10.70.4.5,8080,http,C:\Program Files\Wireshark\proxy-key.pem
> ssl_init found host entry 10.70.4.5,8080,http,C:\Program
> Files\Wireshark\proxy-key.pem
> ssl_init addr 10.70.4.5 port 8080 filename C:\Program
> Files\Wireshark\proxy-key.pem
> ssl_load_key: can't import pem data

Does your "proxy-key.pem" file has a similar heading like this:

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDDheBxxgRp9Zg/D6pGzTEx0sn4C6vkLj/ftPp62XVD8Af7VbE7

If not, you need to fiddle around with OpenSSL some more.

If it looks like a binary file the key is probably in DER format.
Try: openssl rsa -in proxy-key.pem -inform DER -out proxy-key-pem.pem

If it looks something like:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,0F30F91E577C7C84

scqGvyiks3J+eIluLMtIRwHRBqGhN+zE1yez4SZ9373C9ttZkWPWVX0ULl1XUkjV

Then the key is protected by a passphrase and unfortunately Wireshark
is not (yet?) able to read passphrase protected key files.
You can strip the passphrase with:

openssl rsa -in proxy-key.pem -out proxy-key-cleartext.pem


Hope this helps,
Cheers,
    Sake