Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

SSL: capture packet decode method

 

Introduction:

This document describes a method of decoding SSL communication using a capture file and a private key.

Core Issue:

 

SSL communication is encrypted and therefore highly secure, but it may become an obstacle when troubleshooting. We thereby introduce a method of decoding SSL communication using a capture file and a private key.

Resolution:

 

1) If the private key is locked by a password, convert it to a key without a password first.

 

 

# openssl rsa -in sv_key.pem -out private_key.pem

Enter pass    phrase for sv_key.pem:

writing RSA    key

 

 

2) Start Wireshark and select Edit -> Preferences -> Protocols  -> SSL.

ssl_decode_01.png

3) Fill in RSA key list and SSL debug file. When you move the mouse pointer closer, a help indicating what to enter in each box appears.

 

In this example, the file is placed directly under the C drive, so configure it as follows:

 

RSA keys list : 192.168.71.100,443,http,c:\private_key.pem

SSL debug file: c:\ssl_debug.txt (Create an empty file)

 

ssl_decode_en_02.pngssl_decode_03.png

 

When you open the capture file after configuration, the decoded result will appear as shown below.

ssl_decode_04.png

 

Message online 8 below reads "Client key Exchange, change cipher spec, Encrypted Handshake Massage." "Encrypted Handshake Message", when decoded, will read "Finished."

When you decode this file, you can see that the Finish message is sent as explained above.

ssl_decode_05.png

 

 

See the following link on how to use Wireshark.

http://wiki.wireshark.org/SSL

 

 

Note:

The procedures described here are to be used for troubleshooting purposes only.

Also, be very careful when handling private keys and passwords.

 

Related Information

Original Document: Cisco Support Community Japan DOC-12567

Author: Yuji Shimazaki

Posted on August 12, 2010

https://supportforums.cisco.com/docs/DOC-12567

992
Views
0
Helpful
0
Comments