You are here

Analysing and Decrypting HTTPS traffic with Wireshark

While integrating or troubleshooting Web applications using HTTPS, it is sometimes necessary to have a view of the decrypted HTTP traffic. On the browser side, using a browser extension like Tamper Data in Firefox or ieHTTPheaders in Internet Explorer is the easiest and most efficient way to see cookies, HTTP headers, user agents, location redirects etc. But if the application uses a rich client, or to analyse the back-end communication between Airlock and the back-end server, the way to go is using Wireshark to decrypt the HTTPS data stream.


Wireshark is able to decrypt SSL traffic, if the private key of an endpoint is given.
To analyze HTTPS traffic, you simply need to record a network connection established with the full SSL handshake. A full handshake is detectable by the certificate exchange. On such a trace file, the private key can be added even later on, to decrypt the traffic. The private key file has to be available in PEM format. This is the same format which is used in the Airlock Configuration Center.



If the key is not in RSA pem format, e.g:


Use the following command to convert it:

# openssl rsa -in airlockpk_notRSA.pem -out airlockpk.pem

Wireshark Configuration

Newer Wireshark (Version 1.6.1)

In Edit - Preferences -Protocols - SSL - RSA Key list: Edit
Add a new profile to decrypt the traffic. IP and port matches the endpoint of the TCP connection (server ip, server port). In case of HTTPS the protocol would be http (not https!). Configure the path to the private key and if protected with an password, that one too (see screenshot). e.g.:
IP address:
Port: 443
Protocol: http
Key File: c:\cert\airlockpk.pem

Older Wireshark (Version 0.99.5)

In Edit - Preferences - Protocols - SSL the following fields must be configured (see screenshot):
RSA keys list:,443,http,c:\cert\airlockpk.pem

The IP/port association has to match the TCP connection which fullfills the SSL full handshake.
Subsequent connections using SSL session resumes for the recorded initial handshake will be decrypted as well.

Decryptable Protocols

Ciphers that provide Perfect Forward Secrecy (PFS) cannot be decrypted because the key exchange cannot be traced and reconstructed for an external communication partner. These are all ciphers using Diffie Hellmann.

If Wireshark was able to decrypt content, you will find the following message in the SSL log file:
dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17

If Wireshark was NOT able to decrypt content, you will find following message in the SSL log file:
dissect_ssl3_hnd_srv_hello can't find cipher suite 0x39

If you turn off Diffie-Hellman cipher suites in the server's configuration file, you can force the communication partners to negotiate another protocol, excluding Diffie-Hellman, so that Wireshark will be able to decrypt the data stream. In Apache you have to add !DH at the end of the SSLCipherSuite, for instance:


For more details on the default cipher suites used in Airlock, please refer to this article.

How to deactivate Diffie Hellmann on Airlock's Apache

Airlock 5

Use "Apache Expert Settings" to adjust the cipher suites. To do that, open the corresponding virtual host in the Configuration Center and go to the "Expert Settings" tab. Then, add the new SSLCipherSuite string to the "httpd.conf" field and activate the new configuration.

Airlock 4.2

Follow the steps in this article.


How to deactivate Diffie Hellmann on Microsoft's IIS

To disable Diffie Hellmann in Microsoft IIS to the following:

  1. Login as administrator to the according Windows system
  2. Start Registry Editor (Regedit.exe), and locate the following key in the registry.
  3. Add new DWORD value with Name Diffie-Hellman and value 0
  4. To make changes active, restart the Windows system

Alternatively to step 2 and 3, just download this registry file from Techzone and double click it on the designated Windows system.

Further information about Microsoft's Schannel are available under the following website:

Knowledge Base Categories: