Without the SSLKEYLOGFILE file produced by either side of the communication exporting the keys, you cannot decrypt the traffic.You may know about Wireshark, it is GUI but what about capturing and analyzing traffic from the command line? Let's learn about tshark and its usage. The DH is ephemeral, meaning a new DH key pair is used for every connection, and it is immediately discarded after the handshake. To decrypt the recorded traffic if a DHE or ECDHE key exchange was used, you need the DH private key of either side. In the olden times, tls_dhe_rsa_with_aes_128_cbc_sha was the "good" cipher suite. In short, tls_rsa_with_aes_128_gcm_sha256 is bad, tls_ecdhe_rsa_with_aes_128_gcm_sha256 is good.
These days, we use Elliptic Curve Diffie Hellman. It is achieved by using an ephemeral Diffie Hellman key exchange instead, and authenticating the anonymous Diffie Hellman key exchange using digital signatures using the key of the certificate (so RSA signature instead of RSA encryption, or ECDSA signature for ECDSA certificates). The property of not having this weakness is called " forward secrecy" or "Perfect Forward Secrecy".
Exactly because of this property, that recorded traffic can be decrypted using the certificate's private key even after the certificate is revoked and/or expired, this was always considered a bad idea. This key exchange has been deprecated for a long time and it is simply impossible in TLS 1.3. Recorded traffic can be decrypted using the end entity (leaf) certificate's private key only when the deprecated "RSA key exchange" was used. Packet_from_server: is from server - FALSEĭecrypt_ssl3_record: using client decoderĭecrypt_ssl3_record: no decoder availableĪssociation_find: TCP port 443 found 0x5601fab91df0 Record: offset = 0, reported_length_remaining = 116ĭissect_ssl3_record found version 0x0303(TLS 1.2) -> state 0x10ĭissect_ssl3_record: content_type 23 Application Dataĭecrypt_ssl3_record: app_data len 111, ssl state 0x10Īssociation_find: TCP port 52945 found (nil) Ssl_init IPv6 addr 'any' (::) port '443' filename
Ssl_init private key file /tmp/private.key successfully loaded.Īssociation_add TCP port 443 protocol http handle 0x5601fa093e00 '/tmp/private.key' password(only for p12 file) ''
Ssl_load_key: swapping p and q parameters and recomputing u The command output just HTTP traffic,can not decrypt HTTPS.Ĭheck the ssl.log: Wireshark SSL debug logĦf:ab:57:6b:de:21:e6:e8:97:f7:2c:d6:e0:5a:7d:34. When i use command on centos: tshark -r /tmp/xx.pcap -o 'ssl.keys_list:any,443,http,/tmp/private.key' -o 'ssl.debug_file:/tmp/ssl.log' -Y http The key file include "-BEGIN PRIVATE KEY-"
0 kommentar(er)
