Bernhard Bock

Decrypting TLS with Wireshark

More and more traffic is being encrypted via SSL/TLS. This is generally speaking a very good thing, as it improves security and privacy. Nevertheless, it makes debugging a lot harder. With HTTP, this can sometimes be mitigated by using in-browser debugging tools like firebug, which sees the decrypted payload. But sometimes, this is not viable (e.g. SOAP interfcaes), or we are talking about non-HTTP traffic, e.g. IMAPS for secure mailbox access.

This is where TLS decrypting in Wireshark is very helpful. Despite being one of the most helpful features in Wireshark, this functionality is not very widely known, as it is quite hidden in the GUI.

Obviously, TLS would not help at all to secure things, if everybody would be able to decrypt the traffic. You can only do this if you have the private key. Wireshark needs the key in PEM format to understand it. This is the default format used in Linux/Unix, so if you take the key file from Apache or Postfix directly from your Linux/Unix box, you don’t have to worry about the format of the file.

In order to decrypt traffic in Wireshark, you have to tell it about the key and which traffic it belongs to. This is done in the preferences dialog of Wireshark. In preferences -> protocols, scroll all the way down to “SSL”. Here, you need to put a string into the field “RSA key list”.

Hover over the field to get a short help. The string needs to have the format

IP,port,protocol,key file

So, if you put in there the string,443,http,/home/bernhard/

you tell Wireshark that all traffic to the IP address on port 443 is SSL encrypted. After decryption, the data shall be interpreted as HTTP, and the key file is to be found in my home directory in the file named

Afterwards, you can right-click on the TLS Client Hello packet and select “Follow SSL Stream”. Wireshark will display the decryted traffic in a new window.

Unfortunately, this feature can only decrypt traffic that is transport-layer-encryted. If you have any traffic where encryption is implemented in the protocol itself (usually called “STARTTLS”), as with most SMTP or XMPP (Jabber) services, you can not decrypt the traffic like this at the moment.
Also, if perfect forward security (PFS) is used, you cannot derive the session key and therefore cannot decrypt the traffic.

— Nov 15, 2009