Troubleshooting cheat sheet - howto decrypt SSL data with Wireshark

  • 7006041
  • 19-May-2010
  • 14-Jun-2013


Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Java Agents
Novell Access Manager 3.1 SSLVPN Server
Novell Access Manager 3.1 Access Administration
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Netware Access Gateway


AM 3.1 Howto decrypt SSL data with Wireshark cheat sheet

Functionality: Goal is to be able to decrypt SSL data from a LAN trace

Wireshark settings required to capture all relevant traffic:

1. Make sure you have the correct version of Wireshark ( that has the SSL decryption functionality. At the moment of writing the latest one (version 1.2.7) has this build in by default. If you do not see the "RSA keys list" and the "SSL debug file" fields described later in this document, you don't have Wireshark with the SSL decrypt functionality.

2. Make sure the network trace you want to analyze includes the SSL handshake. SSL trace must include ClientHello, ServerHello, Certificate, ServerHelloDone and not ClientHello, ServerHello, ChangeCipherspec..

3. Make sure that the Wireshark decode is set to decode your secure Application port as SSL. If you are running SSL over HTTP on TCP port 8443, or SSL over LDAP on TCP 636, you need to select the TCP port from the trace, and 'decode as' SSL traffic.

4. Make sure you retrieve the private key in the Admin Console 'Server certificates' TAB for the device you are trying to decrypt the traffic to

- go to server certificates and select the server certificate whose subject name matches that sent back in the 'server certificate' part of the SSL handshake
- Open this certificate and click Export Private/Public Keypair
- enter a password and save to disk

5. Convert exported file (pfx format) to format legible by Wireshark (pem) using OpenSSL

- go to Linux server with OpenSSL installed (LAG for example)
- run 'openssl pkcs12 -in <$pfx_filename_from_4_above.pfx> -out <$any_pem_filename_you_give.pem> -nodes'
- enter the password from previous step

6. Configure Wireshark to use private key

- go to Edit -> Preferences -> Protocol -> SSL
- Select 'RSA key list' and specify the following entry <server_ip_address,ssl_port,protocol_used,path_to_cert_file> eg.,8443,http,c:\idp_server_a.pem

7. Read in encrypted LAN trace into wireshark and make sure that you can view HTTP data

Info to request:

- LAN trace with SSL data
- IP address and TCP port of server you are trying to decrypt info from
- exported private key associated with that service with corresponding password

What to look for in log files:

- Cert details: You can view certificated to check whether cert expired, whether CRL or AIA (OCSP) revocation enabled, whether an intermediate or root CA exists
- Can decode HTTP data to view rewritten data, header info

Useful TIDs:

1. How to use Wireshark to decrypt Access Manager SSL data -
2. Howto use Linux ssldump to decrypt SSL data -
3. Issues decrypting SSL data with wireshark -