Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] Decrypt SSL packets using master-key?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 26 Dec 2008 09:14:11 +0100
On Thu, Dec 25, 2008 at 09:23:03PM -0500, Alex wrote:
> On Thu, Dec 25, 2008 at 5:59 PM, Sake Blok <sake@xxxxxxxxxx> wrote:
> > Uhmm... if you are writing a MITM proxy between the client and the
> > server, aren't you terminating the SSL sessions? In that case you are
> > doing the decryption yourself already aren't you? Otherwise you would
> > not have the (pre) master secret.
> 
> Yes, but I can't transfer the packets to Wireshark. I can easily dump
> the raw data into a file, but I can't import that file for analyzing,

OK, then I misunderstood your problem. I thought you were looking for a
way to get the cleartext data from the SSL session. But in fact you want
to analyse the cleartext data in the context of the network packets.

If I understand you correctly, the following are the case:
- You have no influence on the ciphers that the client uses
- You have no influence on the ciphers that the server accepts
- If you limit the accepted cipher list on the MITM program to non-DH
  ciphers, communication with the client fails (ie the client does not
  present non-DH ciphers in the "client hello").
- If you limit the offered ciphers in the "client hello" from the MITM
  program to the server to non-DH ciphers, the server won't set up the
  SSL session

In that case, you can not trick Wireshark into decrypting the SSL
session. But if you came this far by writing a MITM program, you might
also be able to alter the SSL dissector in Wireshark to accept Master
Secrets. Have a look at the following files in the source tree:

epan/dissectors/packet-ssl.h
epan/dissectors/packet-ssl.c
epan/dissectors/packet-ssl-utils.h
epan/dissectors/packet-ssl-utils.c

I know there is more demand for decryption of SSL sessions that use a
DH-cipher, there are just not that many situations where one can extract
the (pre) master secret to be able to do so. So if you succeed in
writing the code yourself, please attach the patch to bugzilla so that
it can be reviewed for inclusion in Wireshark.

And if you are not able to write the code yourself, then you could
file an enhancement request as mentioned earlier. But it is not said
if and when it will be picked up by anyone.

Cheers,
    Sake
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube