You are here


Approach A: just decrypt to a text file on the proxy

I did:
ssldump -Aed -nr my_ssl_vip_encrypted.pcap -k /config/filestore/files_d/Common_d/certificate_key_d/\:Common\:key_wrong_common_name_should_fail.key_296251_1


9c f4 a4 30 0b 75 22 d4 66 3b 6a 33 1d 5d e2 a0 ...0.u".f;j3.]..
36 b3 59 05 b5 d9 8e 1a d4 86 68 c0 e9 e9 69 97 6.Y.......h...i.
38 a8 39 3d 3d ed 4e 61 16 6a 54 01 35 21 be 8d 8.9==.Na.jT.5!..
90 ed 08 08 d9 8e 70 76 76 76 ef 62 b3 0a 08 ff ......pvvv.b....
0e 00 85 74 f7 fa 05 85 37 3b 00 00 00 00 49 45 ...t....7;....IE
4e 44 ae 42 60 82 ND.B`.
4 13 1430340676.5581 (2.4335) C>SV3.3(518) application_data
POST /my.policy HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: LastMRH_Session=3040878c; MRHSession=d6935a50c3854f82a7b645213040878c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 47


Approach B: The PMS file way
This is the creation of the pre-master secret file that you then download and load into wireshark prior to opening the capture.
Note: I don’t see any advantage to approach B seeing as Wireshark still didn’t decrypt it properly for me, so I was stuck just looking at a text file to see the plaintext, instead of the nice wireshark gui interface. I’ve had these kind of problems with wireshark before. So in my situation, I would just go with approach A, pipe the output of ssldump to a file and download that file off the box for analysis.

My virtual is, so I did:
tcpdump -ni 0.0 host -w my_ssl_vip_encrypted.pcap -s0

and then:

ssldump -r my_ssl_vip_encrypted.pcap -k /config/filestore/files_d/Common_d/certificate_key_d/\:Common\:key_wrong_common_name_should_fail.key_296251_1 –M my_ssl_vip_pms.pms

Note the key I used was named “key_wrong_common_name_should_fail.key” but the sytem appended an underscore and then some numbers to it.
If your key has a fairly unique name, you should have no problem finding the one to refer to in the ssldump command.

After loading the PMS into Wireshark and then the PCAP, you will see the plaintext in the ssldebug.txt file as shown here in this pic, but in my wireshark ( latest version, downloaded today, version 1.12.4) And you can see the HTTP headers and so on. In my case I’m even seeing a username and password as show below:

Here are my wireshark ssl settings:

Image icon pic1.png75.74 KB
Image icon pic2.png127.17 KB