Decrypting TLS/SSL traffic with Wireshark
Wireshark is capable of decrypting TLS/SSL traffic when certain conditions are met:
- Wireshark was compiled with SSL decryption support (
--with-gnutls
) - RSA is used for key exchange
- You have server’s private key in PEM format (convert if necessary)
- You can capture the initial TLS/SSL Handshake
Configuring
Wireshark needs to be configured for SSL decryption by defining a specially formatted string which contains server’s IP address, port number, protocol, and the location of a private key file.
In the GUI interface select Edit -> Preferences
Next select Protocols -> SSL and fill in ‘’’RSA keys list:’’’ field with a semicolon-separated list of private RSA keys used for SSL decryption; each list entry must be in the form of IP,PORT,PROTOCOL,KEYFILE. KEYFILE is a local file name of the RSA private key used by the server (or name of the file containing such a list). In this example we will add 127.0.0.1,443,http,/tmp/privkey.pem; string.
You can also manually edit ‘’’ssl.keys_list’’’ parameter in ‘’’~/.wireshark/preferences’’’ file. Here is a sample entry for a local SSL server with a test private key in ‘’’/tmp/privkey.pem’’’.
ssl.keys_list: 127.0.0.1,443,http,/tmp/privkey.pem;
privkey.pem looks like an example below:
-----BEGIN RSA PRIVATE KEY…