Decrypting TLS/SSL traffic with Wireshark

Peter Kacherginsky
2 min readApr 12, 2009

Wireshark is capable of decrypting TLS/SSL traffic when certain conditions are met:

  • Wireshark was compiled with SSL decryption support ( --with-gnutls)
  • RSA is used for key exchange
  • You have server’s private key in PEM format (convert if necessary)
  • You can capture the initial TLS/SSL Handshake

Configuring

Wireshark needs to be configured for SSL decryption by defining a specially formatted string which contains server’s IP address, port number, protocol, and the location of a private key file.

In the GUI interface select Edit -> Preferences

Next select Protocols -> SSL and fill in ‘’’RSA keys list:’’’ field with a semicolon-separated list of private RSA keys used for SSL decryption; each list entry must be in the form of IP,PORT,PROTOCOL,KEYFILE. KEYFILE is a local file name of the RSA private key used by the server (or name of the file containing such a list). In this example we will add 127.0.0.1,443,http,/tmp/privkey.pem; string.

You can also manually edit ‘’’ssl.keys_list’’’ parameter in ‘’’~/.wireshark/preferences’’’ file. Here is a sample entry for a local SSL server with a test private key in ‘’’/tmp/privkey.pem’’’.

ssl.keys_list: 127.0.0.1,443,http,/tmp/privkey.pem;

privkey.pem looks like an example below:

-----BEGIN RSA PRIVATE KEY

--

--

Peter Kacherginsky

Blockchain Security, Malware Analysis, Incident Response, Pentesting, BlockThreat.net