How to decrypt an SSL or TLS session by using Wireshark
[Updated on 26th October 2013]
The following blog post is the newer version of this blog post:
In this blog post, I would like to talk about decrypting SSL/TLS sessions by using Wireshark provided that you have access to the server certificate’s private key. In some cases it may be quite useful to see what is exchanged under the hood of an SSL/TLS session from troubleshooting purposes. You’ll find complete steps to do this on Windows systems. Even though there’re a couple of documentations around (you can find the references at the end of the blog post), all steps from one document doesn’t fully apply and you get stuck at some point. I tested the following steps a couple of times on a Windows 2008 server and it seems to be working fine.
Here are the details of the process:
First of all we’ll need the following tools for that process: (At least I tested with these versions)
Wireshark -> Version 1.2.8
(Win32 OpenSSL v1.0.0.a Light)
openssl -> 1.0.0a
1) We first need to export the certificate that is used by the server side in SSL/TLS session with the following steps:
Note: The Certificate export wizard could be started by right clicking the related certificate from certificates mmc and selecting “All Tasks > Export” option.
2) In the second stage, we’ll need to convert the private key file in PKCS12 format to PEM format (which is used by Wireshark) in two stages by using the openssl tool:
c:\OpenSSL-Win32\bin> openssl pkcs12 -nodes -in iis.pfx -out key.pem -nocerts -nodes
Enter Import Password: <<Password used when exporting the certificate in PKCS12 format>>
c:\OpenSSL-Win32\bin> openssl rsa -in key.pem -out keyout.pem
writing RSA key
=> After the last command, the outfile “keyout.pem” should be seen in the following format:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
3) Now we can use the private key file in Wireshark as given below:
Note: The following dialog box could be seen by first selecting Edit > Preferences and then selecting “Protocols” from the left pane and selecting SSL at the left pane again:
- 172.17.1.1 is server IP address. This is the server using the certificate that we extracted the private key from.
- 443 is the TCP port at the server side.
- http is the protocol carried inside the SSL/TLS session
- c:\tls\keyout.pem is the name of the file which includes the converted private key
- c:\tls\debug2.txt is the name of the file which includes information about the decryption process
4) Once all is ready, you can click “Apply” to start the decryption process. Wireshark will show you the packets in the given session in an unencrypted fashion. Here is the difference between the encrypted and unencrypted versions:
a) How it is seen before Wireshark decrypts SSL/TLS session:
b) How it is seen after Wireshark decrypts SSL/TLS session:
5) Since the private key of a certificate could be considered as a password, we couldn’t ask for that from our customers given that you're troubleshooting a problem on behalf of your customers not for your environment . The following alternatives could be used in that case:
Note: It looks like a capture file decrypted by using the private key couldn’t be saved as a different capture file in unencrypted format.
- After decrypting the traffic, we could examine it in a live meeting session where the customer shares his desktop
- The decrypted packets could be printed to a file from File > Print option (by choosing the “Output to file” option)
- By right clicking one of the decrypted packets and selecting “Follow SSL Stream”, we can save the session content to a text file. The following is an example of such a file created that way:
6) More information could be found at the following links:
Hope this helps