Friday, February 15, 2008

How to Decode SSL or TLS in Wireshark

If you need to decode traffic encoded by TLS/SSL that you have captured with Wireshark, you can do so as long as you have the private key that was used to encode the session.

So, assuming you are running wireshark on your laptop, and you sniff a HTTPS connection to your webserver, you must have the webserver's private key to decode the traffic. While that is obviously not easy if you don't own the server (and therefore its secure.. duh) when you do and are trying to debug or test SSL functions, decoding it is important.

Wireshark offers some basic help on their wiki - http://wiki.wireshark.org/SSL but its rather sparse. What it is good for is telling you where the preference is and its format. The sample download on the wiki page is out of date. If you follow the instructions, they say

Set RSA keys list to 127.0.0.1,443,http,/path/to/snakeoil2.key

The file in the sample zip is actually named rsasnakeoil2.key so either rename the file, or enter the right filename rsasnakeoil2.key when entering the RSA key list to follow the sample on the wiki.

Here's simple instructions on what you need to do to decode SSL/TLS:

First, ensure your version has SSL decoding compiled in. If you have a recent Windows Version, its in by default. You can check by looking for the configuration options in the Edit -> Preferences -> Named Protocol -> SSL screen. If it's not there, its not compiled in. If they are there, proceed.

1) start with the private key of the server in PEM format. If the key is in binary, DER format, you must first convert it. Using Openssl use

openssl -in private.key -inform DER -out private.pem -outform PEM

2) your key can not have a passphrase encrypting it, if it does, strip it. Using OpenSSL

openssl rsa -in private.pem -out private-nopass.pem

You will of course have at least one key per system you are talking to, and maybe even different keys per protocol. So you must tell wireshark which system and port this key relates to

3) Goto Edit -> Preferences in Wireshark. Then expand Protocols, and Click on SSL.

4) In the SSL Debug field, specify a file to log SSL decoding to. Highly Recommended Otherwise, you will be stuck wondering why stuff isn't working.

Windows Example: c:\ssl-out.txt

Unix/Linux Example: /path/to/ssl-out.txt

5) In the RSA keys list enter the associations you are going to use. format is



Multiple entries can be entered by seperating them with a semi-colon ;

Example: to decode HTTPS to your server 10.10.1.2 and your key is at c:\private-nopass.pem

10.10.1.2,443,http,c:\private-nopass.pem

Windows users can use backslashes and spaces without an issue. Unix/Linux use forward slash. You can not use ~ expansion.

6) Hit Ok to save your preferences.

Now when you look at an SSL session that matches the data you entered, everything will be shown in the packet list. You can right click on a data packet and select Follow SSL stream and see the conversation. If its blank or the SSL option is disabled, the decoding did not work and you should check your specified SSL debug output.

What you want to ensure you see is the key successfully loaded, such as this example

127.0.0.1,443,http,c:\test here\rsasnakeoil2.key
ssl_init found host entry 127.0.0.1,443,http,c:\test here\rsasnakeoil2.key
ssl_init addr 127.0.0.1 port 443 filename c:\test here\rsasnakeoil2.key
ssl_init private key file c:\test here\rsasnakeoil2.key successfully loaded

The last line verifies the key was loaded without error. If you don't see that, check your private key file format (remember, no passwords!) and its location. If you see the key loaded successfully, but your data still isn't being decoded, your RSA key entry probably does not match your data stream - IP address, port, protocol.

No comments: