Wait there just a minute!

I’ve gotten an overwhelming response to my previous post asking for the next in the series, thanks guys!

I’m on vacation in the Middle East so blogging is sparse but within the next few weeks I’ll be sure to deliver. In the meantime you can find resources on retrieving SSL session keys for your local SSL connections here: https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets/16415/

What’s better, this output file can be used exactly as-is with Wireshark.

Stay tuned!

SSL Encryption – Applications of Wireshark


If you’ve read my write-up on setting up a setting up an ssl server, don’t be fooled. We’ve created a fake ssl listener that just sits on top of our apache installation and can serve us the files. We’ll get to a full blown installation eventually, but let’s walk before we can run, shall we?

How can we use wireshark to decode https traffic?

I’ll refer again to this execellent article here to walk me through the process: http://wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wireshark-and-ways-to-prevent-it/.

Basic HTTP transmission with gzip

First, let’s fire up wireshark and capture a normal http request. To make it easier on the eyes, we can use WireShark’s filtering to any packets other than those I’m trading with my vm, and while the data is gzipped during transmission, WireShark is nice enough to display the output to us inflated if we select the HTTP OK response sent by the server signalling that he is done transmitting:



SSL Transmission

Now, let’s take a look at same request using https over OpenSSL:


It’s clearly quite different, and makes no sense to the human eye. Bummer.

Decrypting SSL, the cheating way

Under wireshark preferences/protocols,  find the SSL protocol. This allows us to add an RSA keys list we can use to decrypt SSL traffic.


For this step, you’ll need the key you created on your virtual server- I have an FTP server running on my host machine so I’ll just grab it using the virtual server’s ftp command:



To set this guy up in wireshark, I need only add him to the RSA keys list like this:


Once I click apply here, I believe I needed to submit a second request to the server for wireshark to decode it inline. I did so, and suddenly I can see normal traffic again:


You’ll notice the new HTTP protocol item in the tree below the SSL layer, now that WireShark understands how to decipher it.

Taking this one step further, and following the SSL stream on that HTTP request will show us the entire conversation as below:


Neat! But what if you don’t have that server key? Well that’s why this post is kind of cheating. Next up, we’ll explore how to decipher SSL communciations without the server key!