PaulDotCom mailing list archives
Re: [Security Weekly] decrypting HTTPS/SSL traffic
From: John Lowry <johnlowry () gmail com>
Date: Fri, 25 Jul 2014 07:46:22 -0700
I wonder if it is the cipher suite that apache, chrome, and firefox are selecting. They could be selecting PFS by default. Also, check out viewssld if you want a daemon to handle this. https://github.com/plashchynski/viewssld On Mon, Mar 17, 2014 at 3:13 PM, Robin Wood <robin () digininja org> wrote:
I'm trying to look at decrypting HTTPS/SSL traffic. I've created a server using openssl: openssl s_server -www -cipher AES256-SHA -key server.pem -cert server.crt -accept 443 and connect to it using echo -e "GET / HTTP/1.0\r\n" | openssl s_client -connect localhost:443 I'm then sniffing the traffic using tshark tshark -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 127.0.0.1,443,http,/etc/ssl/mine/server.pem" -o "ssl.debug_file: ./wireshark-log" -i lo -R "tcp.port == 443" -2 This has the same server.pem file as the server so it should be able to decrypt things without any problems. Watching the wireshark-log file this works fine and I get cleartext in the log. Same if I connect through curl or wget. If I then try through either Firefox or Chrome I get a load of output in the log but no decrypted data. What would cause this? If I use Apache to run the server rather than openssl I don't get any decryption regardless of what client I get. What am I doing wrong? I'm getting most of my info from Mark's article from 2010, I've had to tweak a few bits but there is a difference between what I'm getting and what Mark got. http://securityweekly.com/2010/10/tsharkwireshark-ssl-decryption.html Robin _______________________________________________ Pauldotcom mailing list Pauldotcom () mail securityweekly com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- John Lowry
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail securityweekly com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- [Security Weekly] decrypting HTTPS/SSL traffic Robin Wood (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Chris Campbell (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Chris Campbell (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic John Lowry (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Ron Bowes (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Robin Wood (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Kevin Shaw (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Robin Wood (Jul 26)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Nich Ramsey (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Robin Wood (Jul 26)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Nich Ramsey (Jul 26)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Nich Ramsey (Jul 26)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Carlos Perez (Jul 26)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Robin Wood (Jul 26)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Robin Wood (Jul 25)
- Re: [Security Weekly] decrypting HTTPS/SSL traffic Chris Campbell (Jul 25)