Decrypting SSL traffic in Wireshark. Only headers get decrypted

sslwireshark

I'm trying to decrypt SSL traffic in Wireshark, and it partially works because I'm able to view the decrypted headers. The problem is that I don't see any of the packet contents, only their headers. Is there an explanation for this behaviour?

A bit more detail:
we used openssl to generate keys and certificates with the command:
openssl req -config *.cnf -new -x509 -extensions v3_ca -keyout *.key -out *.crt -days 1825

and then to decrypt the private key to a PKCS#8 format, which wireshark supposedly supports, we issued this command:
openssl pkcs8 -nocrypt -in *.key -informat DER -out *.key -outformat PEM

In Wireshark we issued the following parameters in SSL decryption section:
10.10.10.10,443,http,*.key – where 10.10.10.10 is the client we're trying to MITM using sslsniff. We have also tried localhost and servers IP with no success. Any suggestions?

Best Answer

  • The SSL connection was probably using Diffie-Hellman to establish the session key. DH allows two parties to establish a shared secret over an insecure channel with no prior communication. This means that even though you have the private key, you can't determine the session key by inspecting the traffic. To decode a DH session you have to actively MITM the connection, or get one of the parties to log the session key.

  • Related Question