If you’ve read my write-up on setting up a setting up an ssl server, don’t be fooled. We’ve created a fake ssl listener that just sits on top of our apache installation and can serve us the files. We’ll get to a full blown installation eventually, but let’s walk before we can run, shall we?
How can we use wireshark to decode https traffic?
I’ll refer again to this execellent article here to walk me through the process: http://wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wireshark-and-ways-to-prevent-it/.
Basic HTTP transmission with gzip
First, let’s fire up wireshark and capture a normal http request. To make it easier on the eyes, we can use WireShark’s filtering to any packets other than those I’m trading with my vm, and while the data is gzipped during transmission, WireShark is nice enough to display the output to us inflated if we select the HTTP OK response sent by the server signalling that he is done transmitting:
Now, let’s take a look at same request using https over OpenSSL:
It’s clearly quite different, and makes no sense to the human eye. Bummer.
Decrypting SSL, the cheating way
Under wireshark preferences/protocols, find the SSL protocol. This allows us to add an RSA keys list we can use to decrypt SSL traffic.
For this step, you’ll need the key you created on your virtual server- I have an FTP server running on my host machine so I’ll just grab it using the virtual server’s ftp command:
To set this guy up in wireshark, I need only add him to the RSA keys list like this:
Once I click apply here, I believe I needed to submit a second request to the server for wireshark to decode it inline. I did so, and suddenly I can see normal traffic again:
You’ll notice the new HTTP protocol item in the tree below the SSL layer, now that WireShark understands how to decipher it.
Taking this one step further, and following the SSL stream on that HTTP request will show us the entire conversation as below:
Neat! But what if you don’t have that server key? Well that’s why this post is kind of cheating. Next up, we’ll explore how to decipher SSL communciations without the server key!