how to decrypt the TLS/SSL package content in wireshark pcapng log file?

1
votes

I have PEM key and RSA key on hand, when I was trying to analysis the wireshark pcapng file which logged on my networking nodes, the tls encrypted tls/ssl package contents can NOT be decrypted as shown below:

enter image description here

The pem key info printed with openssl(x509) as shown below:

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        17:.......................:5d
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=US, ST=Washington, L=Seattle, O=changeme changeme Company, OU=IT, CN=changeme Corporate Issuing CA 01
    Validity
        Not Before: Sep  9 09:27:27 2019 GMT
        Not After : Sep  8 09:27:27 2020 GMT
    Subject: C=US, ST=DC, L=ST, O=changeme changeme Company, OU=IT, CN=cmeptgapp.changeme.net
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                00..........................................d4:
                ..............
                eb..........................................af:
                44:6f
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Subject Key Identifier: 
            FA:58:...................3C:88
        X509v3 Authority Key Identifier: 
            keyid:AB:1......................................:21

        X509v3 CRL Distribution Points: 

            Full Name:
              URI:http://crl.changeme.com/pki/tdtd

        Authority Information Access: 
            CA Issuers - URI:http://crl.changeme.com/pki/dtfh.crt
            OCSP - URI:http://whoknows.changeme.com/whoknows
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        1.3............d...
        X509v3 Extended Key Usage: 
            TLS Web Server Authentication
        1............10: 
           .
        X509v3 Certificate Policies: 
            Policy: 1.3.6.1.4.1.45807.509.1.2
              CPS: http://nobody.changeme.com/policies/nobodykonows.html

        X509v3 Subject Alternative Name: 
            DNS:cmeptgapp.changeme.net
Signature Algorithm: sha256WithRSAEncryption
     05................................................:e4:
     ......................................................................
     ...................................................:7b

I have tried to decrypt the package content by:

1. edit the wireshark/preference/protocol/ssl/RSA key

2. editcap command

but unfortunately no one works, possibly I used the commands wrong. How to solve this problem?

1
networkingcertificatessl-certificatewiresharkwireshark-dissector

1 Answers

2
votes

The client and server probably exchanged keys using perfect forward secrecy (such as ECDH, DHE-RSA, ECDHE-RSA or ECDHE-ECDSA). Check the previous two packets in the TLS session.

It is not possible to decrypt the TLS traffic if you only have the private RSA key when Diffie-Hellman key exchange is used. You will instead need to log the per-session secrets by using an SSLKEYLOGFILE, as explained in the Wireshark wiki TLS page.

Another option is to decrypt the TLS traffic using a TLS proxy like PolarProxy or SSLsplit.