You are here

Analysing and Decrypting HTTPS traffic with Wireshark

Affects product: 
Airlock

While integrating or troubleshooting Web applications using HTTPS, it is sometimes necessary to have a view of the decrypted HTTP traffic. On the browser side, using a browser extension like Tamper Data in Firefox or ieHTTPheaders in Internet Explorer is the easiest and most efficient way to see cookies, HTTP headers, user agents, location redirects etc. But if the application uses a rich client, or to analyse the back-end communication between Airlock and the back-end server, the way to go is using Wireshark to decrypt the HTTPS data stream.

Concept

Wireshark is able to decrypt SSL traffic, if the private key of an endpoint is given.
To analyze HTTPS traffic, you simply need to record a network connection established with the full SSL handshake. A full handshake is detectable by the certificate exchange. On such a trace file, the private key can be added even later on, to decrypt the traffic. The private key file has to be available in PEM format. This is the same format which is used in the Airlock Configuration Center.

Example:

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAutxnTm+4qp0pO/aqo5u8CMUQFuz2Ee2OdN3GV5dKyHopY1ZE
efiTn9dsSO/XfXQTDBE9cz2qekspTHM/7rdwyhDcMNZoB0Mxm7MnAXA3tWg7SrU4
...
wMwB7LL/cy3BgPz338yOAI4Sg9HpJnAAUBx9AlicqtWxu+vlMVQhWXjAzTiamXgZ
45zeBiPnEbittcDF7QfMCCvVnBWxFowtgp4tK2wNL1iF1wFMcw4Snw==
-----END RSA PRIVATE KEY-----

If the key is not in RSA pem format, e.g:

-----BEGIN PRIVATE KEY-----
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAPwRRVDuDI/p9sKo
jZbt7p3XzsEjUIp63nlfAM7Evjf2A2plb80AAVg2l2QCrk9I6DkRiHvmYYuclky/
...
7rDWqEj3XUDKvGyEj6uhmtHTz53Yxt6EtYMfTyDue3XUtSoZjnwKAJfIX3QJP0xg
CcxMIXQTCMlqYBx/
-----END PRIVATE KEY-----

Use the following command to convert it:

# openssl rsa -in airlockpk_notRSA.pem -out airlockpk.pem

Wireshark Configuration

Newer Wireshark (Version 1.6.1)

In Edit - Preferences -Protocols - SSL - RSA Key list: Edit
Add a new profile to decrypt the traffic. IP and port matches the endpoint of the TCP connection (server ip, server port). In case of HTTPS the protocol would be http (not https!). Configure the path to the private key and if protected with an password, that one too (see screenshot). e.g.:
IP address: 172.18.1.221
Port: 443
Protocol: http
Key File: c:\cert\airlockpk.pem

Older Wireshark (Version 0.99.5)

In Edit - Preferences - Protocols - SSL the following fields must be configured (see screenshot):
RSA keys list: 172.18.1.221,443,http,c:\cert\airlockpk.pem

The IP/port association has to match the TCP connection which fullfills the SSL full handshake.
Subsequent connections using SSL session resumes for the recorded initial handshake will be decrypted as well.

Decryptable Protocols

Ciphers that provide Perfect Forward Secrecy (PFS) cannot be decrypted because the key exchange cannot be traced and reconstructed for an external communication partner. These are all ciphers using Diffie Hellmann.

If Wireshark was able to decrypt content, you will find the following message in the SSL log file:
dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17

If Wireshark was NOT able to decrypt content, you will find following message in the SSL log file:
dissect_ssl3_hnd_srv_hello can't find cipher suite 0x39

If you turn off Diffie-Hellman cipher suites in the server's configuration file, you can force the communication partners to negotiate another protocol, excluding Diffie-Hellman, so that Wireshark will be able to decrypt the data stream. In Apache you have to add !DH at the end of the SSLCipherSuite, for instance:

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL:!DH

For more details on the default cipher suites used in Airlock, please refer to this article.

How to deactivate Diffie Hellmann on Airlock's Apache

Airlock 5

Use "Apache Expert Settings" to adjust the cipher suites. To do that, open the corresponding virtual host in the Configuration Center and go to the "Expert Settings" tab. Then, add the new SSLCipherSuite string to the "httpd.conf" field and activate the new configuration.

Airlock 4.2

Follow the steps in this article.

 

How to deactivate Diffie Hellmann on Microsoft's IIS

To disable Diffie Hellmann in Microsoft IIS to the following:

  1. Login as administrator to the according Windows system
  2. Start Registry Editor (Regedit.exe), and locate the following key in the registry.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms
  3. Add new DWORD value with Name Diffie-Hellman and value 0
  4. To make changes active, restart the Windows system

Alternatively to step 2 and 3, just download this registry file from Techzone and double click it on the designated Windows system.

Further information about Microsoft's Schannel are available under the following website:
http://support.microsoft.com/kb/245030/en-us