PaulDotCom mailing list archives
Re: [Security Weekly] decrypting HTTPS/SSL traffic
From: Chris Campbell <chris () ctcampbell com>
Date: Fri, 25 Jul 2014 14:29:29 +0100
Protocol version may be different as well...
On 25 Jul 2014, at 14:27, Chris Campbell <chris () ctcampbell com> wrote: Chrome and Firefox use the same TLS codebase and have a preference for more secure cipher suites. In this case they are probably negotiating a suite that doesn't allow decryption with just the server key.On 17 Mar 2014, at 22:13, Robin Wood <robin () digininja org> wrote: I'm trying to look at decrypting HTTPS/SSL traffic. I've created a server using openssl: openssl s_server -www -cipher AES256-SHA -key server.pem -cert server.crt -accept 443 and connect to it using echo -e "GET / HTTP/1.0\r\n" | openssl s_client -connect localhost:443 I'm then sniffing the traffic using tshark tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 127.0.0.1,443,http,/etc/ssl/mine/server.pem" -o "ssl.debug_file: ./wireshark-log" -i lo -R "tcp.port == 443" -2 This has the same server.pem file as the server so it should be able to decrypt things without any problems. Watching the wireshark-log file this works fine and I get cleartext in the log. Same if I connect through curl or wget. If I then try through either Firefox or Chrome I get a load of output in the log but no decrypted data. What would cause this? If I use Apache to run the server rather than openssl I don't get any decryption regardless of what client I get. What am I doing wrong? I'm getting most of my info from Mark's article from 2010, I've had to tweak a few bits but there is a difference between what I'm getting and what Mark got. http://securityweekly.com/2010/10/tsharkwireshark-ssl-decryption.html Robin _______________________________________________ Pauldotcom mailing list Pauldotcom () mail securityweekly com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail securityweekly com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- [Security Weekly] decrypting HTTPS/SSL traffic Robin Wood (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Chris Campbell (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Chris Campbell (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic John Lowry (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Ron Bowes (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Robin Wood (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Kevin Shaw (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Robin Wood (Jul 26)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Nich Ramsey (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Robin Wood (Jul 26)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Nich Ramsey (Jul 26)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Nich Ramsey (Jul 26)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Carlos Perez (Jul 26)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Robin Wood (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Chris Campbell (Jul 25)