Re: [Security Weekly] decrypting HTTPS/SSL traffic

[Ron Bowes <ron () skullsecurity net>]

What's your ultimate goal? I usually find it easier to man in the middle
SSL connections if that's an option.
On 25 Jul 2014 06:06, "Robin Wood" <robin () digininja org> wrote:

> I'm trying to look at decrypting HTTPS/SSL traffic. I've created a
> server using openssl:
>
> openssl s_server -www -cipher AES256-SHA -key server.pem -cert
> server.crt -accept 443
>
> and connect to it using
>
> echo -e  "GET / HTTP/1.0\r\n" | openssl s_client  -connect localhost:443
>
> I'm then sniffing the traffic using tshark
>
> tshark -o "ssl.desegment_ssl_records: TRUE" -o
> "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list:
> 127.0.0.1,443,http,/etc/ssl/mine/server.pem" -o "ssl.debug_file:
> ./wireshark-log" -i lo -R "tcp.port == 443" -2
>
> This has the same server.pem file as the server so it should be able
> to decrypt things without any problems.
>
> Watching the wireshark-log file this works fine and I get cleartext in the
> log.
>
> Same if I connect through curl or wget.
>
> If I then try through either Firefox or Chrome I get a load of output
> in the log but no decrypted data. What would cause this?
>
> If I use Apache to run the server rather than openssl I don't get any
> decryption regardless of what client I get.
>
> What am I doing wrong?
>
> I'm getting most of my info from Mark's article from 2010, I've had to
> tweak a few bits but there is a difference between what I'm getting
> and what Mark got.
>
> http://securityweekly.com/2010/10/tsharkwireshark-ssl-decryption.html
>
> Robin
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail securityweekly com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com