How to decrypt ssl wireshark

Wireshark: decrypt SSL / TLS traffic

More and more Internet traffic is transmitted in encrypted form. In particular, the Let’s Encrypt certification authority has meant that even smaller websites have switched to encrypted communication thanks to the free certificate. In the meantime, over 100 million Let’s Encrypt certificates have been issued. I also switched my blog to HTTPS in November 2016.

The actually positive effect towards more encrypted traffic also makes analysis and troubleshooting much more difficult. Wireshark and similar programs cannot see the encrypted communication by default. SSL decryption based on the principle of a man-in-the-middle attack would help. Next-generation firewalls from Palo Alto, Check Point Software, Cisco, Sophos and Co. go this way, for example. At home, this variant can be implemented with tools such as “mitmproxy” or “Burp Suite”. But this shouldn't be for everyone. Fortunately, there is an easier alternative: Session key logging.

Of course, there are also restrictions here. The client-side logging of the session keys only works with certain software, for example with the two browsers Firefox and Chrome. Only RSA keys are supported, Diffie-Hellman and Elliptic Curve Diffie-Hellman (ECDH) not.

Browser

For Firefox a new environment variable with the name "SSLKEYLOGFILE" must first be created. This is done in the control panel under "System". Then click on the left on "Advanced system settings" and in the newly opened window on "Environment variables ...". There the new variable "SSLKEYLOGFILE" can be created with the desired path. There should be no spaces in the path. I chose "C: \ Temp \ sslkey.log":

In order for the new environment variable to take effect, the Windows user must be logged off and on again; a restart also helps.

The following changes are no longer necessary, as Diffie-Hellman cipher suites for key exchange are now also supported.

In addition, we should deactivate the support of the Diffie-Hellman cipher suites so that the key exchange is always carried out via RSA. This works via "about: config". Search for "dhe" there and change all settings found to the value "false".

We can check the success of this measure on the website of the University of Hanover: https://cc.dcsec.uni-hannover.de/check

Google's Chrome has been ignoring this environment variable for a long time. Instead, the browser must be loaded with the following start parameters:

Also no longer necessary.

Diffie-Hellman can also be deactivated in Google Chrome, but a little more laborious than in Firefox. The cipher suites to be deactivated must also be transferred with a start parameter:

You can find a list of all hex codes in the Chromium source code.

Wireshark

Wireshark only supports the feature from version 1.8.0. First the program must be started and the settings opened. Then open the “Protocols” category in the menu on the left by clicking on the arrow and navigate to the “SSL” item. The path to the previously created file must be stored there.

That was it! If you now mark a packet with TLS data, a new tab "Decrypted SSL data" will appear below. If you select this you can see the decrypted data.

swell

  • https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
  • https://wireshark.no/index.php/2016/08/25/decrypting-ssl-traffic-with-wireshark/
  • https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/
  • http://joji.me/en-us/blog/walkthrough-decrypt-ssl-tls-traffic-https-and-http2-in-wireshark
  • https://www.m00nie.com/2015/05/decrypt-https-ssltls-with-wireshark/
  • https://wiki.wireshark.org/SSL