Decrypting TLS/SSL traffic with Wireshark

Peter Kacherginsky
2 min readApr 12, 2009

Wireshark is capable of decrypting TLS/SSL traffic when certain conditions are met:

  • Wireshark was compiled with SSL decryption support ( --with-gnutls)
  • RSA is used for key exchange
  • You have server’s private key in PEM format (convert if necessary)
  • You can capture the initial TLS/SSL Handshake

Configuring

Wireshark needs to be configured for SSL decryption by defining a specially formatted string which contains server’s IP address, port number, protocol, and the location of a private key file.

In the GUI interface select Edit -> Preferences

Next select Protocols -> SSL and fill in ‘’’RSA keys list:’’’ field with a semicolon-separated list of private RSA keys used for SSL decryption; each list entry must be in the form of IP,PORT,PROTOCOL,KEYFILE. KEYFILE is a local file name of the RSA private key used by the server (or name of the file containing such a list). In this example we will add 127.0.0.1,443,http,/tmp/privkey.pem; string.

You can also manually edit ‘’’ssl.keys_list’’’ parameter in ‘’’~/.wireshark/preferences’’’ file. Here is a sample entry for a local SSL server with a test private key in ‘’’/tmp/privkey.pem’’’.

ssl.keys_list: 127.0.0.1,443,http,/tmp/privkey.pem;

privkey.pem looks like an example below:

-----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQC3vXk1zRP8FRMX7pYetU2ubMLX6QwDuVVOWxWPlyUxWzxOu/MB hRqzoxain4E01TL92IGg/neKGjjqRvbE8IJ0J6wa3T78DmZzs325nLBBjiXXamds zapSmqFOharjhWk06W15a47xxz+KLRjbuJsDIxqvn8iHlpGgP2UvCLlt4wIDAQAB AoGAJeErBvtzfkm9+PYX/taz4BzOAoMqFe50dsXyaPrpEQbVJQo8a/jL63LY7Mfj dB6wf4LOHqm3bUJAr5PXtfw7eGtzKpIscRcTalP8d4EtxR2dCxaioLp00nrjHvUR EzRnRVY3m348N3jejwoG9VRimhgk1TZoiPQGVMETQYQokRECQQDbRpU2/zbFe4x8 AzldU8Q9bkpIC1YMbBTskydZCK+4RcerjDWTbF6jbtRYMZSmhe88ggoMXrebQCwP LLH8ftRbAkEA1oNOo2gf6ijQ6GoVRsiUXf8G6oH++Q/mV2C/iyoYQvHw0rHih7lY g776JTP9SE+67ZICJhwe5g/mTTXOP37jGQJAdl2OlKaFuWqs9hCDecaLCyIrBOLh q3Qn02DH/765pD4+v3KrRQ5as9lS1NzGwnFQKBi5NhE3CrKmVfapiYQpOwJBAMZr NbYXfh20q2gPmBadOf+oAfGwxPQELP/t0b8b9M0XlbcOLAd2/dT/NcpryIC2nyVY xPwTTtFnK5OHjXtWFyECQQCxkDbTCAj3B7dKCU1eH0XwQ58izkSFBISmSLGhHvnk KQVZMwn7BTfaGj4ie/BFLtEFpdVodJM7Yd1cjLxHrJge 
-----END RSA PRIVATE KEY-----

Decrypting

With proper configuration, Wireshark will now be able to decrypt already opened or…

--

--

Peter Kacherginsky

Blockchain Security, Malware Analysis, Incident Response, Pentesting, BlockThreat.net