How to set up Wireshark to decrypt TLS:
A few requirements has to me met:
First you must have a RSA key used for encryption. The key must be in PEM or PKCS#12 format. The key in PEM format starts with -----BEGIN RSA PRIVATE KEY----- header and ends with -----END RSA PRIVATE KEY----- footer.
Second, make sure you have a whole conversation between client and server. It's very common for a web browsers to reuse existing SSL sessions in order boost performance. It's a good choice to clean recent history and start capturing packets BEFORE starting the browser.
Third, (VERY IMPORTANT) force your browser for using RSA keys to encrypt data. If ephemeral Diffie-Hellman (denoted TLS_DHE) or Elliptic Curve DIffle-Hellman (denoted TLS_ECDH) were used, it means that RSA keys were used only for handshake and not for the whole transmission. You can check this by examining Server's Hello message. If cipher begins with TLS_DHE or TLS_ECDH it basically means that you are not able to decrypt the whole traffic.
For making Firefox not to use either TLS_DHE nor TLS_ECDH type about:config in browser's address bar, search for security.ssl3.dhe and mark all the result to false. Next do the same with security.ssl3.ecdhe.
Configuring Wireshark:
Go to Edit->Preferences and from the left pane choose Protocols->SSL. Click the Edit... button near RSA key list.
The information you need:
IP address: Server's address. Not sure, but 0.0.0.0 can be set as default
Port: The corresponding port number, also 0 should be used as default
Protocol: The protocol that lays under the SSL layer. In this case it's http (must be lower case)
Key File: The RSA key used for encryption.
Password: Needed only if the key is passphrase protected.
That's all. If everything went well Wireshark should display HTTP packets. If another than 443 port was used you might go to Analyse-> Decode as... and choose ssl from the new window.
Common problems:
Older versions of Wireshark had problems with GnuTLS library. In my case Wireshark 1.6.7 available in Ubuntu 12.04 LTS wasn't able to decrypt the traffic, so I had do build from sources the newest available version (1.10.5)
A few requirements has to me met:
First you must have a RSA key used for encryption. The key must be in PEM or PKCS#12 format. The key in PEM format starts with -----BEGIN RSA PRIVATE KEY----- header and ends with -----END RSA PRIVATE KEY----- footer.
Second, make sure you have a whole conversation between client and server. It's very common for a web browsers to reuse existing SSL sessions in order boost performance. It's a good choice to clean recent history and start capturing packets BEFORE starting the browser.
Third, (VERY IMPORTANT) force your browser for using RSA keys to encrypt data. If ephemeral Diffie-Hellman (denoted TLS_DHE) or Elliptic Curve DIffle-Hellman (denoted TLS_ECDH) were used, it means that RSA keys were used only for handshake and not for the whole transmission. You can check this by examining Server's Hello message. If cipher begins with TLS_DHE or TLS_ECDH it basically means that you are not able to decrypt the whole traffic.
For making Firefox not to use either TLS_DHE nor TLS_ECDH type about:config in browser's address bar, search for security.ssl3.dhe and mark all the result to false. Next do the same with security.ssl3.ecdhe.
Configuring Wireshark:
Go to Edit->Preferences and from the left pane choose Protocols->SSL. Click the Edit... button near RSA key list.
The information you need:
IP address: Server's address. Not sure, but 0.0.0.0 can be set as default
Port: The corresponding port number, also 0 should be used as default
Protocol: The protocol that lays under the SSL layer. In this case it's http (must be lower case)
Key File: The RSA key used for encryption.
Password: Needed only if the key is passphrase protected.
That's all. If everything went well Wireshark should display HTTP packets. If another than 443 port was used you might go to Analyse-> Decode as... and choose ssl from the new window.
Common problems:
Older versions of Wireshark had problems with GnuTLS library. In my case Wireshark 1.6.7 available in Ubuntu 12.04 LTS wasn't able to decrypt the traffic, so I had do build from sources the newest available version (1.10.5)