Decrypting SSL traffic in Wireshark. Only headers get decrypted

Question

I'm trying to decrypt SSL traffic in Wireshark, and it partially works because I'm able to view the decrypted headers. The problem is that I don't see any of the packet contents, only their headers. Is there an explanation for this behaviour?

A bit more detail: we used openssl to generate keys and certificates with the command: openssl req -config *.cnf -new -x509 -extensions v3_ca -keyout *.key -out *.crt -days 1825

and then to decrypt the private key to a PKCS#8 format, which wireshark supposedly supports, we issued this command: openssl pkcs8 -nocrypt -in *.key -informat DER -out *.key -outformat PEM

In Wireshark we issued the following parameters in SSL decryption section: 10.10.10.10,443,http,*.key - where 10.10.10.10 is the client we're trying to MITM using sslsniff. We have also tried localhost and servers IP with no success. Any suggestions?

Answer 1

The SSL connection was probably using Diffie-Hellman to establish the session key. DH allows two parties to establish a shared secret over an insecure channel with no prior communication. This means that even though you have the private key, you can't determine the session key by inspecting the traffic. To decode a DH session you have to actively MITM the connection, or get one of the parties to log the session key.

Answer 2

You will have to capture and then configure Wireshark to decrypt.

Check out this tutorial (steps 2 and 3 seem to address your problem).

You may also want to check out Wireshark's wiki entry on TLS.

Answer 3

Could you have been mistaking encrypted data for compressed data? Web servers usually use some form of data compression (gzip or deflate) which could obscure the payload to look like it was encrypted.