Wireshark-dev: Re: [Wireshark-dev] decrypting SSL traffic that goes through an SSL terminating
On Feb 8, 2008 5:11 PM, Sake Blok <> wrote:
> On Fri, Feb 08, 2008 at 08:38:45PM +0000, DePriest, Jason R. wrote:
> > On Feb 8, 2008 8:49 AM, Sake Blok <> wrote:
> > > On Thu, Feb 07, 2008 at 11:40:12PM -0600, DePriest, Jason R. wrote:
> > >
> > > In case it is a full proxy, have you tried using the following
> > > in the ssl protocol settings?
> > >
> > > <ip-of-proxy>,<proxy-port>,http,<keyfile>
> >
> > It is a full proxy auto-configured by PAC using a wpad.dat file.
> >
> > I had already tried the exact syntax you propose.  The problem seems
> > to be getting the right <keyfile> from the proxy.
> >
> > ssl_init keys string:
> > 10.70.4.5,8080,http,C:\Program Files\Wireshark\proxy-key.pem
> > ssl_init found host entry 10.70.4.5,8080,http,C:\Program
> > Files\Wireshark\proxy-key.pem
> > ssl_init addr 10.70.4.5 port 8080 filename C:\Program
> > Files\Wireshark\proxy-key.pem
> > ssl_load_key: can't import pem data
>
> Does your "proxy-key.pem" file has a similar heading like this:
>
> -----BEGIN RSA PRIVATE KEY-----
> MIICXQIBAAKBgQDDheBxxgRp9Zg/D6pGzTEx0sn4C6vkLj/ftPp62XVD8Af7VbE7
>
> If not, you need to fiddle around with OpenSSL some more.
>
> If it looks like a binary file the key is probably in DER format.
> Try: openssl rsa -in proxy-key.pem -inform DER -out proxy-key-pem.pem
>
> If it looks something like:
>
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,0F30F91E577C7C84
>
> scqGvyiks3J+eIluLMtIRwHRBqGhN+zE1yez4SZ9373C9ttZkWPWVX0ULl1XUkjV
>
> Then the key is protected by a passphrase and unfortunately Wireshark
> is not (yet?) able to read passphrase protected key files.
> You can strip the passphrase with:
>
> openssl rsa -in proxy-key.pem -out proxy-key-cleartext.pem
>
>
> Hope this helps,
>
> Cheers,
>     Sake

The file looks like this
-----BEGIN CERTIFICATE-----
MIIC0TCCAjqgAwIBAgIEFZ0B6DANBgkqhkiG9w0BAQQFADCBrDELMAkGA1UEBhMC
(14 lines of stuff)
Kd49ym4=
-----END CERTIFICATE-----

If I save that to a file with a .cer extension, Windows opens it with
the correct information.

The Blue Coat says its certs are in PKCS#7 format which from
http://en.wikipedia.org/wiki/PKCS looks pretty standard.

Any suggestions on how to convert it properly?

I forgot to bring home the error message information in the log, sorry
about that.

-Jason