Sunday, 11 November 2012

SSL Decryption with Wireshark (Private key and Pre-Master secret)

Troubleshooting communication problems with Wireshark can be difficult at the best of times, yet alone when the connection is encrypted with SSL/TLS.
There are a couple of ways you can approach decrypting the SSL/TLS traffic. One assumes you have root access to the server you are having problems with and you're able to obtain a copy of the public and private key. If you only have access to the server as a client with no special privileges, there are still a couple of ways to take look at the encrypted data.

Before you look at either method, it would be useful to do a little background reading on SSL/TLS as the encryption methods might not work quite as you think.
In a nutshell, when a client (in most cases, a web browser) makes a connection to a web server requiring SSL/TLS encryption - the encrypted channel is setup using a symmetric session key. This key is a random string generated by the client and then encrypted and transmitted using the servers public key, known as the Pre-master Secret. Once shared, the client and server use this shared key to encrypt and decrypt traffic. There's a more detailed version of this here, but knowing this you be able to see how you can decrypt the traffic using the SSL session key or the servers private key.

Method 1 : Decrypting the traffic with the server private key.

  1. You'll need the private key from the server first. This can be hidden in a variety of locations so you'll have to refer to your server documentation for where to find it. Usually it will be a single file with an extension of .CRT, .PEM, .DER or in some cases .PFX or .P12. The latter two are certificate containers which contain the private key, public key and the certificate of the issuing CA.
  2. Once you've found the private key, it will make things easier if they're in PEM format with an unencrypted key. The best way to do the conversion is to use OpenSSL. It can be a bit confusing at first but you'll soon get used to how it works. There is a good selection of commands here (they also offer an upload / convert tool. Not to say they're not trustworthy, but I wouldn't recommend giving your private key to anyone. Ever.)
  3. Now you have the private key, you'll need to load this into Wireshark and configure it to use this key for any traffic to or from your web server. Go to Edit > Preferences. Then Protocols > SSL. Next to the RSA keys list text, click the edit button. From here select the servers private key and enter the IP address of the web server that will be present in the capture. Select port 443 (or whichever port your application runs on) and the protocol which is inside the encrypted tunnel. In most cases, this will be HTTP but could be IMAP, SMTP etc. The password field can be left blank if you've saved the key in an unencrypted form, otherwise provide the password here. Click OK until you're back to the Wireshark main screen.
  4. Now start the capture and generate some encrypted traffic to your web server. Make sure you are using a totally new session. Clearing the cache then closing and reopening your browser would be ideal. Stop the capture when you've generated a few connections.
  5. Back in the main window, you should now find that the SSL wrapping has been removed and you're able to view the protocol details within.

Method 2: Decrypting with Pre-Master Secrets

This method is relatively new to Wireshark and allows you decrypt the encrypted traffic using the Pre-Master Secret which is generated by the client. By default, this key isn't logged anywhere for obvious reasons but with Chrome it's possible to set an environment variable and have these written to disk.
  1. (Windows 7) Right click on 'My Computer' and then go to properties.Then click Advanced System Settings > Environment Variables. Then under system variables - create a new variable named SSLKEYLOGFILE with the value being a text file. In this case I went with C:\premaster.txt. Click OK through all open dialogs. I've found this didn't take effect immediately and needed a reboot before it started logging.
  2. Back in Wireshark, head to Edit > Preferences > Protocols > SSL. Under the option for '(Pre)Master-Secret log file name' - select your log file you created above (so C:\premaster.txt).
  3. Start your capture in Wireshark and then generate a few SSL connections in Chrome. Stop the capture when you're done.
  4. In Wireshark, you should again see that your encrypted traffic is now unwrapped ready for some troubleshooting. If you don't, check the pre-master file you've created exists and has some contents. If not you should double check your environment variable.

These is of course a much easier method for looking into encrypted traffic if you're only looking at HTTP traffic (or traffic that supports a proxy setting) and that's to use Fiddler. Fiddler is an excellent local proxy application which can perform SSL termination and re-encryption (otherwise known as 'man-in-the-middle' / MITM). If you don't need a full packet capture and can make do with the HTTP requests and responses this might save you a lot of pain.


  1. I cannot get mine to work. It is still encrypted. I get the:

    # SSL/TLS secrets log file, generated by NSS
    CLIENT_RANDOM 437514074a141d5416504446e5f509d2242d9775781063075e0f7586e3f504fc b4f1f9cd7511ed06c5933fb0f8f1ebfe56c66a2da397770ae9b9ec2cb07b917292043995e66b4571733a4a4631e8e6f7

    But it is still not decrypted.

    In windows 7 cmd:

    set SSLKEYLOGFILE=c:\premaster.txt
    "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"

    I then browse for the c:\premaster.txt in wireshark 1.10.8 SSL settings.

    But nothing is decrypted.

    Any ideas?

  2. I`ve got the same issue.Appreciate it if anyone could post a solution

  3. I have tried multiple times . this has never worked for me. I have never seen SSLKEYLOGFILE working and the sslkeylogfile getting created

  4. nope same here==> solution plz it's still encrypted don't see the deferens :-)) hhmmm why people create an article and don't help people out back in the old days it was deferent everyone helps what is it now with dudes like this it's like on YouTube guys posting non working things why why???? will never understand a question that I'm never gone ask myself

    1. "why people create an article and don't help people out" - so taking my time to write this article in the first place isn't helping people out? How selfish am I...
      I'm sorry you can't get this to work - maybe write your own article or video about how to make it work to help people out like 'back in the old days'. I imagine it's something with Firefox that has changed but of the 24'000 people that have viewed this article only four have said they can't get it to work. Feel free to test and help everyone out by posting your findings.

  5. The other 23,996 couldn't get it to work either, they just moved on to the next article that also described something that doesn't work. Just like I am.

    1. I did consider just deleting your negative comments but after a cup of coffee and some consideration, I decided to leave it. I've also tested it out and found it still works exactly as expected. All I can suggest is to take less time trolling comments of blogs you don't understand and spend some more time re-reading the post.
      I've re-tested this (just to humor the 0.00008% of people who can't make this work) with the latest version of Chrome and it still works perfectly. If you're using Firefox > 46 - they've disabled the key logging feature so you'll have to download an older version. I've tried with 35 and again, it works perfectly. I've loaded the capture in Wireshark (v1 and v2) with a couple of captures taken this morning to SSL sites and I can view the HTML within the SSL session.
      I'm sorry you can't get this work - but the instructions are fine so please stop trolling.

    2. Really Stuart are you that stupid if you copy paste an article just try it out :p I see your comment and it is not as a IT professional would be I think you aren't and yeah delete my comment also if you do I will spam your article.
      And yeah you tested it hhmmmm on what system XP? instead of saying that it work help people out!!!
      And you can copy paste articles but you cant communicate like a normal person
      Who is the troll now!
      Just leave this guy be He is the Master in saying other people are stupid but he is because he still believe in Santa Claus also little humor :p

    3. I'm flattered you think this is good enough to be copied from somewhere else so thanks, I guess? I tested it yesterday on Windows 7 so I genuinely don't know why it's not working for you. Do you have any errors? Does the keyfule get populated? Are you starting a brand new SSL session in the browser?

  6. Thanks to the author. It works for me. I have this version of WS - Version 2.0.4 (v2.0.4-0-gdd7746e from master-2.0), and I must say, file got generated only with Chrome, tried with IE/FF but it just didn't work but anyway thanks very much for your article.

  7. I managed it to work by coping from the "C:\premaster.txt" and pasting it on the "pre-shared-key" on wireshark preferences.

    This did decrypted a few requests... :D

  8. just to give some update also, I know it must be frustrating when it does not work but when it works following exactly the article there is no much to say a part from thanks! Just id it on Windows 7 Entreprise SP1, Chrome 60.0.3112.90 (64 bit).

    For info, if you look at the raw output of Wireshark or do a follow TCP Stream then yes, it is still encrypted but Wireshark decrypts in the protocol detail/parsing window, this could be something people did not see and thought it is not working.

  9. I Followed the same exact steps as mentioned in the section "Method 2: Decrypting with Pre-Master Secrets" and I can see the traffic getting unwrapped in Wireshark!

    A few things may help:
    1. I have the SSLKEYLOGFILE environment variable in both my "User Variable" and "System Variable".
    2. Set the SSLKEYLOGFILE path in Wireshark's "Pre-Master Secret log filename".
    2. Restarted my comp.
    3. Cleared my browser cache and closed the browser.
    4. Opened the browser and browsed an SSL page with wireshark capture enabled.
    5. I was able to see sessions in the SSLKEYLOGFILE and the traffic getting unwrapped to "HTTP" in wireshark.

    Thank you very much for the detailed post, Stuart!!!

    1. please help me, I don't found SSL when I click preferences->protocol

    2. Use TLS instead of SSL in preferences.