Wireshark-users: Re: [Wireshark-users] how to decrypt TLSv1 traffic
From: "Nik Kolev" <[email protected]>
Date: Wed, 11 Jun 2008 11:20:11 -0400
> > >
> > > I saw a blog post somewhere discussing that you can "pass" the
> to
> > > the file which stores the negotiated encryption key to wireshark
> > > (given that wireshark has been linked against a given library) get
> the
> > > encrypted payload decrypted. I don't know if this applies to my
> scenario
> > > (not sure whether IE writes the key to the file system,...)...
> >
> > With most ciphers (including the one that was chosen in the
> > displayed server-hello), wireshark can do the decryption when it
> > you supply the private key of the server (see the ssl protocol
> > preferences).
> I need more help here.
> So I obtained the private RSA key, placed it under
> u:\ssl-keys\private-rsa.key and made the following entry in the SSL
> preferences' "RSA key list:" text field -
> Then I started capturing packets but the http payload is still showing
> as encrypted data. Look below for the server hello and the app data
> messages. Poking in the dark, I also specified an SSL debug file, but
> nothing got dumped in there.

Actually I got a debug dump when I saved the capture to a file and
re-analyzed it in Wireshark:
ssl_init found host entry,443,http,U:\ssl-keys\prism-private-rsa.key
ssl_init addr port 443 filename
ssl_load_key: can't import pem data

And the key:
[[email protected] ssl-keys]$ pwd
[[email protected] ssl-keys]$ cat prism-private-rsa.key 
<some more base64 encoding>

[[email protected] ssl-keys]$

I am pretty sure the RSA key is not password protected, but don't know
why I am getting "ssl_load_key: can't import pem data"????